Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
TMSSetup.exe

Overview

General Information

Sample name:TMSSetup.exe
Analysis ID:1459800
MD5:e0efcd15daaa87d864f56c803156ae43
SHA1:5327dd70591fd8687b5514c44c3604d1728f909e
SHA256:9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43
Tags:BroomstickexeOyster
Infos:

Detection

Score:68
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Contain functionality to detect virtual machines
PE file contains section with special chars
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
PE file does not import any functions
Queries information about the installed CPU (vendor, model number etc)
Queries keyboard layouts
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • TMSSetup.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\TMSSetup.exe" MD5: E0EFCD15DAAA87D864F56C803156AE43)
    • rundll32.exe (PID: 7304 cmdline: "C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\CleanUp.dll", Test MD5: EF3179D498793BF4234F708D3BE28633)
      • rundll32.exe (PID: 7320 cmdline: "C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\CleanUp.dll", Test MD5: 889B99C52A60DD49227C5E485A016679)
    • MSTeamsSetup_c_l_.exe (PID: 7372 cmdline: "C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe" MD5: CF0E0F57B68A11D099EC944200A6069D)
  • MSTeamsSetup_c_l_.exe (PID: 7408 cmdline: "C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe" --rerunningWithoutUAC MD5: CF0E0F57B68A11D099EC944200A6069D)
    • Update.exe (PID: 7432 cmdline: "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC --exeName=MSTeamsSetup_c_l_.exe --bootstrapperMode MD5: 8F0E958D7EF57D727ADCDA1C67C24C2B)
      • Squirrel.exe (PID: 7940 cmdline: "C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe" --updateSelf=C:\Users\user\AppData\Local\SquirrelTemp\Update.exe MD5: 17927E3240D3B0212A4B93C1D45F92B0)
      • Teams.exe (PID: 7920 cmdline: "C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-install 1.7.00.15969 MD5: E20A8E5630CFCAD496816E211D212EAC)
      • Teams.exe (PID: 2996 cmdline: "C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-firstrun MD5: E20A8E5630CFCAD496816E211D212EAC)
        • Teams.exe (PID: 2500 cmdline: "C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 MD5: E20A8E5630CFCAD496816E211D212EAC)
        • Teams.exe (PID: 5232 cmdline: "C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2156 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 MD5: E20A8E5630CFCAD496816E211D212EAC)
      • regsvr32.exe (PID: 652 cmdline: "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
        • regsvr32.exe (PID: 4936 cmdline: /s /n /i:user "C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll" MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)
      • regsvr32.exe (PID: 2024 cmdline: "C:\Windows\SysWOW64\regsvr32.exe" /s /n /i:user "C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.AddinLoader.dll" MD5: 878E47C8656E53AE8A8A21E927C6F7E0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\SquirrelTemp\Update.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    C:\Users\user\AppData\Local\Microsoft\Teams\Update.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.0.Update.exe.bb0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          10.0.Squirrel.exe.820000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: TMSSetup.exeReversingLabs: Detection: 52%
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\SquirrelTemp\SquirrelSetup.logJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\SquirrelSetup.logJump to behavior
            Source: Binary string: m,C:\Windows\System.pdb source: Update.exe, 00000005.00000002.3126596827.0000000007F59000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: netstandard.pdb.mdb source: Update.exe, 00000005.00000002.3098174267.0000000004D72000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000000.1690098324.0000000000BB2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000005.00000002.3098174267.0000000004C03000.00000004.00000800.00020000.00000000.sdmp, Squirrel.exe, 0000000A.00000000.2963107929.000000000084F000.00000002.00000001.01000000.0000000F.sdmp
            Source: Binary string: C:\Users\postman\Desktop\NZT\ProjectD_cpprest\CleanUp\Release\CleanUp.pdb source: TMSSetup.exe, TMSSetup.exe, 00000000.00000000.1664045615.00000001401FF000.00000002.00000001.01000000.00000003.sdmp
            Source: Binary string: C:\BITDIR\AVRETAIL\qhav\bin\Upgrade\x64\Release\upgui.pdb source: TMSSetup.exe, 00000000.00000002.1687414941.000000014003B000.00000002.00000001.01000000.00000003.sdmp, TMSSetup.exe, 00000000.00000000.1663892050.000000014003B000.00000002.00000001.01000000.00000003.sdmp
            Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Update.exe, 00000005.00000002.3087782619.0000000001365000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Update.exe, 00000005.00000002.3110632304.00000000061E5000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\src\Setup\bin\Release\Setup.pdb/ source: TMSSetup.exe, 00000000.00000000.1664045615.00000001401FF000.00000002.00000001.01000000.00000003.sdmp, MSTeamsSetup_c_l_.exe, 00000003.00000000.1685400502.0000000000326000.00000002.00000001.01000000.00000006.sdmp, MSTeamsSetup_c_l_.exe, 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmp, MSTeamsSetup_c_l_.exe, 00000004.00000002.3131881323.0000000000326000.00000002.00000001.01000000.00000006.sdmp, MSTeamsSetup_c_l_.exe, 00000004.00000000.1687568862.0000000000326000.00000002.00000001.01000000.00000006.sdmp
            Source: Binary string: D:\a\_work\1\s\src\Setup\bin\Release\Setup.pdb source: TMSSetup.exe, TMSSetup.exe, 00000000.00000000.1664045615.00000001401FF000.00000002.00000001.01000000.00000003.sdmp, MSTeamsSetup_c_l_.exe, 00000003.00000000.1685400502.0000000000326000.00000002.00000001.01000000.00000006.sdmp, MSTeamsSetup_c_l_.exe, 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmp, MSTeamsSetup_c_l_.exe, 00000004.00000002.3131881323.0000000000326000.00000002.00000001.01000000.00000006.sdmp, MSTeamsSetup_c_l_.exe, 00000004.00000000.1687568862.0000000000326000.00000002.00000001.01000000.00000006.sdmp
            Source: Binary string: \??\C:\Windows\System.pdb source: Update.exe, 00000005.00000002.3124418916.0000000007B51000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: m.pdb source: Update.exe, 00000005.00000002.3126596827.0000000007F59000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.pdb source: Update.exe, 00000005.00000002.3087782619.0000000001365000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002F6982 SHGetFolderPathW,CreateDirectoryW,GetLastError,SHGetFolderPathW,GetUserNameW,GetLastError,CreateDirectoryW,GetLastError,FindResourceW,LoadResource,SizeofResource,LockResource,DeleteFileW,FreeResource,GetFileAttributesW,GetModuleHandleW,GetModuleFileNameW,PathFileExistsW,CopyFileW,FindFirstFileW,GetLastError,FindClose,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,DeleteFileW,CloseHandle,CloseHandle,FreeResource,3_2_002F6982
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Teams\current
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile opened: C:\Users\user
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Teams
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile opened: C:\Users\user\AppData
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile opened: C:\Users\user\AppData\Local
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile opened: C:\Users\user\AppData\Local\Microsoft

            Networking

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 64.95.10.243 443Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 149.248.79.62 443Jump to behavior
            Yara detected Generic Downloader
            Source: Yara matchFile source: 5.0.Update.exe.bb0000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 10.0.Squirrel.exe.820000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Teams\Update.exe, type: DROPPED
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe, type: DROPPED
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002F136F __EH_prolog3_GS,GetActiveWindow,GetTempPathW,GetTempFileNameW,_wcsrchr,MoveFileW,CoCreateInstance,URLDownloadToFileW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,DeleteFileW,3_2_002F136F
            Source: Joe Sandbox ViewIP Address: 52.113.194.132 52.113.194.132
            Source: Joe Sandbox ViewIP Address: 52.178.17.2 52.178.17.2
            Source: Joe Sandbox ViewIP Address: 20.42.65.88 20.42.65.88
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002F136F __EH_prolog3_GS,GetActiveWindow,GetTempPathW,GetTempFileNameW,_wcsrchr,MoveFileW,CoCreateInstance,URLDownloadToFileW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,DeleteFileW,3_2_002F136F
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD5CB000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: V8.MemoryHeapUsedV8.MemoryHeapCommittedmail.google.com.gmaildrive.google.com.docsplus.google.com.plusinbox.google.com.inboxcalendar.google.com.calendarwww.youtube.com.youtube.top10sina.com.cnfacebook.combaidu.comqq.comtwitter.comtaobao.comlive.com equals www.youtube.com (Youtube)
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7ACCE4000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: chttps://www.baidu.com/s?ie={inputEncoding}&wd={searchTerms}https://www.baidu.com/s?ie={inputEncoding}&word={searchTerms}https://www.baidu.com/{google:pathWildcard}/s?ie={inputEncoding}&word={searchTerms}{google:baseURL}#q={searchTerms}{google:baseURL}search#q={searchTerms}{google:baseURL}webhp#q={searchTerms}{google:baseURL}s#q={searchTerms}{google:baseURL}s?q={searchTerms}https://go.mail.ru/msearch?q={searchTerms}&{mailru:referralID}https://m.so.com/s?ie={inputEncoding}&q={searchTerms}https://m.so.com/index.php?ie={inputEncoding}&q={searchTerms}https://m.sogou.com/web/{google:pathWildcard}?ie={inputEncoding}&keyword={searchTerms}http://searchatlas.centrum.cz/?q={searchTerms}http://hladaj.atlas.sk/fulltext/?phrase={searchTerms}http://isearch.avg.com/search?q={searchTerms}http://search.avg.com/route/?q={searchTerms}&lng={language}https://isearch.avg.com/search?q={searchTerms}https://search.avg.com/route/?q={searchTerms}&lng={language}http://search.babylon.com/?q={searchTerms}http://search.conduit.com/Results.aspx?q={searchTerms}http://www.delfi.lt/paieska/?q={searchTerms}http://www.delta-search.com/?q={searchTerms}http://www1.delta-search.com/home?q={searchTerms}http://www1.delta-search.com/?q={searchTerms}http://www2.delta-search.com/home?q={searchTerms}http://www2.delta-search.com/?q={searchTerms}http://www.search.delta-search.com/home?q={searchTerms}http://www.search.delta-search.com/?q={searchTerms}http://www.yhs.delta-search.com/home?q={searchTerms}http://www.yhs.delta-search.com/?q={searchTerms}http://mixidj.delta-search.com/home?q={searchTerms}http://mixidj.delta-search.com/?q={searchTerms}http://search.goo.ne.jp/web.jsp?MT={searchTerms}&IE={inputEncoding}http://search.goo.ne.jp/sgt.jsp?MT={searchTerms}&CL=plugin&FM=json&IE={inputEncoding}http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Default.aspx#q={searchTerms}http://search.iminent.com/SearchTheWeb/v6/1033/homepage/Result.aspx#q={searchTerms}http://start.iminent.com/?q={searchTerms}http://start.iminent.com/StartWeb/1033/homepage/#q={searchTerms}http://search.incredibar.com/?q={searchTerms}http://mystart.incredibar.com/?search={searchTerms}https://www.neti.ee/cgi-bin/otsing?query={searchTerms}&src=webhttps://www.neti.ee/api/suggestOS?suggestVersion=1&suggestQuery={searchTerms}https://nova.rambler.ru/search?query={searchTerms}https://nova.rambler.ru/suggest?v=3&query={searchTerms}http://www.search-results.com/web?q={searchTerms}http://search.snap.do/?q={searchTerms}http://feed.snapdo.com/?q={searchTerms}http://feed.snap.do/?q={searchTerms}http://en.softonic.com/s/{searchTerms}http://www.softonic.com/s/{searchTerms}http://www.softonic.com.br/s/{searchTerms}http://buscador.softonic.com/?q={searchTerms}http://nl.softonic.com/s/{searchTerms}https://search.softonic.com/?q={searchTerms}https://en.softonic.com/s/{searchTerms}https://www.softonic.com/s/{searchTerms}https://www.softonic.com.br/s/{searchTerms}https://buscador.softonic.com/?q={searchTerms}https://nl.softonic.com/s/{searchTer
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD5CB000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
            Source: Update.exe, 00000005.00000002.3091408859.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1813.dscd.akamai.net
            Source: Update.exe, 00000005.00000002.3091408859.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a1813.dscd.akamai.netd
            Source: Update.exe, 00000005.00000002.3091408859.00000000036AC000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/Teams.nuspec
            Source: Update.exe, 00000005.00000002.3091408859.00000000036AC000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/Teams.nuspecd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/Squirrel.exe
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/Squirrel.exed
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/Teams.exe
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/Teams.exed
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-console-l1-2-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-console-l1-2-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-datetime-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-datetime-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-debug-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-debug-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-errorhandling-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-errorhandling-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-file-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-file-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-file-l1-2-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-file-l1-2-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-file-l2-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-file-l2-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-heap-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-heap-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-interlocked-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-interlocked-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-localization-l1-2-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-localization-l1-2-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-memory-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-memory-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-namedpipe-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-namedpipe-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-processthreads-l1-1-1.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-processthreads-l1-1-1.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-rtlsupport-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-rtlsupport-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-synch-l1-2-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-synch-l1-2-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-timezone-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-core-timezone-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-conio-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-conio-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-filesystem-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-filesystem-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-heap-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-heap-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-locale-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-locale-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-multibyte-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-multibyte-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-runtime-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-runtime-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-stdio-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-stdio-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-string-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-string-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-time-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-time-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-utility-l1-1-0.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/api-ms-win-crt-utility-l1-1-0.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/chrome_100_percent.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/chrome_100_percent.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/chrome_200_percent.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/chrome_200_percent.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/concrt140.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/concrt140.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/icudtl.dat
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/icudtl.datd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/libEGL.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/libEGL.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/libGLESv2.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/libGLESv2.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/af.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/af.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/am.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/am.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ar.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ar.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/bn.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/bn.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ca.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ca.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/da.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/da.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/de.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/de.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/el.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/el.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/en-GB.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/en-GB.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/en-US.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/en-US.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/es-419.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/es-419.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/et.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/et.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/fa.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/fa.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/fi.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/fi.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/fil.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/fil.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/gu.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/gu.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/he.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/he.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/hi.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/hi.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/hr.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/hr.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/id.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/id.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ja.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ja.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/kn.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/kn.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ko.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ko.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/lt.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/lt.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/pl.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/pl.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ro.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ro.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ru.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ru.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/sk.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/sk.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/sr.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/sr.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/sv.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/sv.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/sw.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/sw.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ta.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/ta.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/te.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/te.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/th.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/th.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/tr.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/tr.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/uk.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/uk.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/zh-CN.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/locales/zh-CN.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/msvcp140.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/msvcp140.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/msvcp140_1.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/msvcp140_1.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/msvcp140_2.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/msvcp140_2.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/Update.VisualElementsManifest.xml
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/Update.VisualElementsManifest.xmld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/adal34-win/build/Release/
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/keyboard-layout/build/Rel
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/m365-browser/build/Releas
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/native-utils/build/Releas
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/office-int-win/build/Rele
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/oneauth/lib/oneauth.node
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/oneauth/lib/oneauth.noded
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/RTMPLTFM.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/RtmCodecs.dl
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/RtmControl.d
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/SlimCV.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/SlimCV.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/cm.slim
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/cm.slimd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/onnxruntime.
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/qm.slim
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/qm.slimd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/sharing-indi
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/skypert.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/skypert.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/slimcore.nod
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/ssScreenVVS2
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/app.asard
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/12x12-available.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/12x12-available.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/12x12-away.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/12x12-away.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/12x12-busy.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/12x12-busy.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/12x12-dnd.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/12x12-dnd.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/12x12-reset.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/12x12-reset.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/20x20-available.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/20x20-available.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/20x20-dnd.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/20x20-dnd.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_2.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_2.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_4.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_4.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_5.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_5.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_6.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_6.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_7.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_7.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_8.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_8.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_9.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_9.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_9plus.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Badge_9plus.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/MicrosoftTeams-static.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/MicrosoftTeams-static.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Taskbar.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/Taskbar.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/TeamsIconSet.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/TeamsIconSet.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/TrayIconTemplate.ico
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/TrayIconTemplate.icod
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/blueberryTaskbar.ico
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/blueberryTaskbar.icod
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/dlp_user_profile.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/dlp_user_profile.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/msix/teams-app-icon-150.targetsize-150_altform-un
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/msix/teams-app-icon-44.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/msix/teams-app-icon-44.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/send.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/send.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/tlb/Uc.tlb
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/tlb/Uc.tlbd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/tlb/Uc.win32.tlb
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/tlb/Uc.win32.tlbd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/urgent-icon.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/urgent-icon.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/windows/TeamsLogo.contrast-white_scale-100.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/windows/TeamsLogo.contrast-white_scale-100.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/windows/TeamsLogoSmall.contrast-white_scale-100.p
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/windows/TeamsLogoSmall.scale-100.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/windows/TeamsLogoSmall.scale-100.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/windows/TeamsSquare44x44Logo.contrast-black_scale
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/windows/TeamsSquare44x44Logo.contrast-white_scale
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/windows/TeamsSquare44x44Logo.scale-100.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/assets/windows/TeamsSquare44x44Logo.scale-100.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-ar-sa.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-ar-sa.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-az-latn-az.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-az-latn-az.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-ca-es-valencia.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-ca-es-valencia.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-de-de.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-el-gr.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-el-gr.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-en-au.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-en-au.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-es-mx.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-es-mx.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-eu-es.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-eu-es.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-fi-fi.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-fi-fi.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-fil-ph.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-fil-ph.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-fr-fr.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-fr-fr.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-gl-es.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-gl-es.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-he-il.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-he-il.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-hr-hr.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-hr-hr.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-hu-hu.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-hu-hu.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-id-id.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-id-id.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-is-is.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-is-is.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-ka-ge.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-ka-ge.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-ko-kr.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-ko-kr.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-lv-lv.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-lv-lv.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-nb-no.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-nb-no.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-nl-nl.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-nl-nl.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-nn-no.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-nn-no.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-pl-pl.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-pl-pl.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-pseudo.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-pseudo.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-pt-pt.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-pt-pt.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-ro-ro.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-ro-ro.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-ru-ru.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-ru-ru.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-sk-sk.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-sk-sk.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-sl-si.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-sl-si.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-sq-al.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-sq-al.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-sr-latn-rs.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-sr-latn-rs.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-uk-ua.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-uk-ua.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-zh-cn.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-zh-cn.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-zh-tw.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/locales/locale-zh-tw.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/AddinInstaller.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/AddinInstaller.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/Assets/NewMeeting_Large_14
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/Assets/NewMeeting_Large_19
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/Assets/NewMeeting_Small_12
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/Assets/NewMeeting_Small_19
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/Microsoft.Applications.Tel
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/Microsoft.IdentityModel.Lo
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/Microsoft.Teams.AddinLoade
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/Microsoft.Teams.Diagnostic
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/Microsoft.Teams.MeetingAdd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/Microsoft.Web.WebView2.Cor
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/Newtonsoft.Json.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/Newtonsoft.Json.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/OneAuth.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/OneAuth.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/System.IdentityModel.Token
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/adal2-meetingaddin.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/adal2-meetingaddin.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/ar-SA/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/ca-ES/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/cs-CZ/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/cy-GB/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/el-GR/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/en-GB/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/es-MX/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/et-EE/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/fi-FI/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/fr-FR/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/hu-HU/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/id-ID/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/is-IS/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/ja-JP/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/ko-KR/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/lv-LV/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/msvcp140.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/msvcp140.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/nb-NO/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/nl-NL/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/nn-NO/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/pl-PL/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/pt-BR/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/pt-PT/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/ro-RO/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/ru-RU/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/runtimes/win-x64/native/We
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/sv-SE/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/th-TH/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/tr-TR/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/vcruntime140.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/vcruntime140.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/vi-VN/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/zh-TW/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Assets/NewMeeting_Large_12
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Assets/NewMeeting_Large_14
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Assets/NewMeeting_Large_19
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Assets/NewMeeting_Large_96
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Assets/NewMeeting_Small_12
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Assets/NewMeeting_Small_14
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Assets/NewMeeting_Small_19
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Assets/NewMeeting_Small_96
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Microsoft.IdentityModel.Lo
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Microsoft.IdentityModel.To
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Microsoft.Teams.Diagnostic
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Microsoft.Teams.MeetingAdd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Microsoft.Web.WebView2.Win
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Microsoft.Web.WebView2.Wpf
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Newtonsoft.Json.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Newtonsoft.Json.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/OneAuth.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/OneAuth.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/System.IdentityModel.Token
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/System.Net.Http.Formatting
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/ar-SA/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/bg-BG/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/ca-ES/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/cs-CZ/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/cy-GB/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/da-DK/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/en-GB/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/es-ES/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/es-MX/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/et-EE/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/fi-FI/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/he-IL/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/hu-HU/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/id-ID/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/is-IS/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/it-IT/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/lt-LT/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/msvcp140.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/msvcp140.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/nb-NO/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/nl-NL/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/nn-NO/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/pl-PL/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/pt-PT/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/ro-RO/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/ru-RU/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/sk-SK/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/sl-SI/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/sr-Latn-RS/Microsoft.Teams
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/sv-SE/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/tr-TR/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/vcruntime140.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/vcruntime140.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/vi-VN/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/zh-CN/Microsoft.Teams.Meet
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/tmp/Teams/resources/ThirdPartyNotice.txt
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/resources/tmp/Teams/resources/ThirdPartyNotice.txtd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/snapshot_blob.bin
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/snapshot_blob.bind
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/v8_context_snapshot.bin
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/v8_context_snapshot.bind
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/vcruntime140.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/vcruntime140.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/vcruntime140_1.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/vcruntime140_1.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/vk_swiftshader.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/vk_swiftshader.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/vk_swiftshader_icd.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/vk_swiftshader_icd.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/vulkan-1.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/lib/net45/vulkan-1.dlld
            Source: Update.exe, 00000005.00000002.3091408859.00000000036AC000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/package/services/metadata/core-properties/5961463727b542b0b7fbd025c76ab66e.p
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.asar
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.asard
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.bin
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.bind
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.bsdiff
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.bsdiffd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.config
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.configd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.dat
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.datd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.diff
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.diffd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.dll
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.dlld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.exe
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.exed
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.ftz
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.ftzd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.html
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.htmld
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.ico
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.icod
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.json
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.jsond
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.node
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.noded
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.nuspec
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.nuspecd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.pak
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.pakd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.png
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.pngd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.pri
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.prid
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.psmdcp
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.psmdcpd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.rels
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.relsd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.shasum
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.shasumd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.slim
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.slimd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.tlb
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.tlbd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.txt
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.txtd
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.xml
            Source: Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/tempfiles/sample.xmld
            Source: Update.exe, 00000005.00000002.3091408859.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.000000000398C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://onedscolprdeus04.eastus.cloudapp.azure.com
            Source: Update.exe, 00000005.00000002.3091408859.00000000036F0000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.000000000398C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://onedscolprdeus04.eastus.cloudapp.azure.comd
            Source: Update.exe, 00000005.00000002.3091408859.00000000036AC000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.openxmlformats.or
            Source: Update.exe, 00000005.00000002.3091408859.00000000032EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: Update.exe, 00000005.00000002.3091408859.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://statics.teams.cdn.office.net
            Source: Update.exe, 00000005.00000002.3091408859.00000000036BB000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.00000000036C6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://statics.teams.cdn.office.netd
            Source: Update.exe, 00000005.00000002.3098174267.0000000004D72000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000000.1690098324.0000000000BB2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000005.00000002.3098174267.0000000004C03000.00000004.00000800.00020000.00000000.sdmp, Squirrel.exe, 0000000A.00000000.2963107929.000000000084F000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://api.github.com/#
            Source: Update.exe, 00000005.00000002.3098174267.0000000004D72000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000000.1690098324.0000000000BB2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000005.00000002.3098174267.0000000004C03000.00000004.00000800.00020000.00000000.sdmp, Squirrel.exe, 0000000A.00000000.2963107929.000000000084F000.00000002.00000001.01000000.0000000F.sdmpString found in binary or memory: https://github.com/myuser/myrepo
            Source: Update.exe, 00000005.00000002.3091408859.00000000032EB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pipe.int.trafficmanager.net/Collector/3.0/t-
            Source: Update.exe, 00000005.00000002.3091408859.00000000033CF000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net
            Source: Update.exe, 00000005.00000002.3091408859.00000000036BB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/icons/microsoft_teams_logo_refresh.ico
            Source: Update.exe, 00000005.00000002.3091408859.00000000033CF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/production-windows-x64/1.7.00.15969/
            Source: Update.exe, 00000005.00000002.3091408859.00000000033CF000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3098174267.00000000045F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/production-windows-x64/1.7.00.15969/RELEASES.exe
            Source: Update.exe, 00000005.00000002.3091408859.00000000033CF000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3098174267.00000000045F1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://statics.teams.cdn.office.net/production-windows-x64/1.7.00.15969/Teams-1.7.00.15969-full.nup
            Source: Update.exe, 00000005.00000002.3091408859.00000000033CF000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.0000000003704000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.000000000335C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://teams.nel.measure.office.net/api/report?cat=teams
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7ACCE4000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: RegisterRawInputDevices() failed for RIDEV_REMOVEmemstr_3b11713f-6

            System Summary

            barindex
            PE file contains section with special chars
            Source: TMSSetup.exeStatic PE information: section name: e^u>z^
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002F1955 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,3_2_002F1955
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005FA2580_2_005FA258
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F20100_2_005F2010
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005FAA3C0_2_005FAA3C
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005FB2C40_2_005FB2C4
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F9EA80_2_005F9EA8
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F77700_2_005F7770
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F47880_2_005F4788
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F95A00_2_005F95A0
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_003031403_2_00303140
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002F426D3_2_002F426D
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_003062903_2_00306290
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_0030633D3_2_0030633D
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002F46083_2_002F4608
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_003066AF3_2_003066AF
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_0030A6F73_2_0030A6F7
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002F56FA3_2_002F56FA
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002F37E33_2_002F37E3
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_0030A9263_2_0030A926
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_003069593_2_00306959
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_0031AA893_2_0031AA89
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_0030AB553_2_0030AB55
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_00306C203_2_00306C20
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_0030EC803_2_0030EC80
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_0031FD1E3_2_0031FD1E
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_00318EA43_2_00318EA4
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_00306EDB3_2_00306EDB
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_0162DBA95_2_0162DBA9
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_016252505_2_01625250
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_057AC4585_2_057AC458
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_057A43AF5_2_057A43AF
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_057AD9015_2_057AD901
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_0613CF315_2_0613CF31
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_06136F785_2_06136F78
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_06137B905_2_06137B90
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_061372C05_2_061372C0
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_06139B585_2_06139B58
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_06139B685_2_06139B68
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_061390185_2_06139018
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_0613900A5_2_0613900A
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_07996E6A5_2_07996E6A
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_07996D445_2_07996D44
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_061300405_2_06130040
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: String function: 00304AF0 appears 54 times
            Source: TMSSetup.exeStatic PE information: invalid certificate
            Source: TMSSetup.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
            Source: TMSSetup.exeStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
            Source: MSTeamsSetup_c_l_.exe.0.drStatic PE information: Resource name: DATA type: Zip archive data, at least v2.0 to extract, compression method=deflate
            Source: Microsoft.Teams.MeetingAddin.resources.dll10.5.drStatic PE information: No import functions for PE file found
            Source: Microsoft.Teams.MeetingAddin.resources.dll6.5.drStatic PE information: No import functions for PE file found
            Source: Microsoft.Teams.MeetingAddin.resources.dll14.5.drStatic PE information: No import functions for PE file found
            Source: Microsoft.Teams.MeetingAddin.resources.dll11.5.drStatic PE information: No import functions for PE file found
            Source: TMSSetup.exeBinary or memory string: OriginalFilename vs TMSSetup.exe
            Source: TMSSetup.exe, 00000000.00000000.1664045615.00000001401FF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSetup.exe@ vs TMSSetup.exe
            Source: TMSSetup.exe, 00000000.00000000.1664045615.00000001401FF000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSetup.exe@ vs TMSSetup.exe
            Source: CleanUp.dll.0.drStatic PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
            Source: classification engineClassification label: mal68.troj.evad.winEXE@21/619@0/13
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002F1955 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,ExitWindowsEx,3_2_002F1955
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002F6509 __EH_prolog3_GS,CoCreateInstance,VariantInit,IUnknown_QueryInterface_Proxy,VariantClear,VariantClear,3_2_002F6509
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F1000 FindResourceA,SizeofResource,LoadResource,0_2_005F1000
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\TeamsJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net memory cache 4.0
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeMutant created: NULL
            Source: C:\Windows\SysWOW64\rundll32.exeMutant created: \Sessions\1\BaseNamedObjects\ITrkfSaV-4c7KwdfnC-Ds165XU4C-lH6R9pk1
            Source: C:\Users\user\Desktop\TMSSetup.exeFile created: C:\Users\user\AppData\Local\Temp\CleanUp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCommand line argument: kernel32.dll3_2_002FE7E8
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCommand line argument: --checkInstall3_2_002FE7E8
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCommand line argument: --allUsers3_2_002FE7E8
            Source: TMSSetup.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\TMSSetup.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Users\user\Desktop\TMSSetup.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\CleanUp.dll", Test
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD5CB000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD5CB000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD5CB000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD5CB000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: CREATE TABLE cookies(creation_utc INTEGER NOT NULL,host_key TEXT NOT NULL,top_frame_site_key TEXT NOT NULL,name TEXT NOT NULL,value TEXT NOT NULL,encrypted_value BLOB NOT NULL,path TEXT NOT NULL,expires_utc INTEGER NOT NULL,is_secure INTEGER NOT NULL,is_httponly INTEGER NOT NULL,last_access_utc INTEGER NOT NULL,has_expires INTEGER NOT NULL,is_persistent INTEGER NOT NULL,priority INTEGER NOT NULL,samesite INTEGER NOT NULL,source_scheme INTEGER NOT NULL,source_port INTEGER NOT NULL,is_same_party INTEGER NOT NULL);
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD5CB000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD5CB000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD5CB000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
            Source: TMSSetup.exeReversingLabs: Detection: 52%
            Source: TMSSetup.exeString found in binary or memory: Setup version is newer, re-installing Teams from the machine-wide installer...
            Source: TMSSetup.exeString found in binary or memory: set-addPolicy
            Source: TMSSetup.exeString found in binary or memory: Accept-Additions
            Source: TMSSetup.exeString found in binary or memory: List-Help
            Source: TMSSetup.exeString found in binary or memory: MMHS-Exempted-Address
            Source: TMSSetup.exeString found in binary or memory: Originator-Return-Address
            Source: TMSSetup.exeString found in binary or memory: "%s" --install . %s %s
            Source: TMSSetup.exeString found in binary or memory: id-cmc-addExtensions
            Source: MSTeamsSetup_c_l_.exeString found in binary or memory: Setup version is newer, re-installing Teams from the machine-wide installer...
            Source: MSTeamsSetup_c_l_.exeString found in binary or memory: "%s" --install . %s %s
            Source: unknownProcess created: C:\Users\user\Desktop\TMSSetup.exe "C:\Users\user\Desktop\TMSSetup.exe"
            Source: C:\Users\user\Desktop\TMSSetup.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\CleanUp.dll", Test
            Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\CleanUp.dll", Test
            Source: C:\Users\user\Desktop\TMSSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe "C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe "C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe" --rerunningWithoutUAC
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeProcess created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC --exeName=MSTeamsSetup_c_l_.exe --bootstrapperMode
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe "C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe" --updateSelf=C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe "C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-install 1.7.00.15969
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe "C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-firstrun
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll"
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /s /n /i:user "C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll"
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\SysWOW64\regsvr32.exe" /s /n /i:user "C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.AddinLoader.dll"
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe "C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe "C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2156 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
            Source: C:\Users\user\Desktop\TMSSetup.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\CleanUp.dll", TestJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe "C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe" Jump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\CleanUp.dll", TestJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeProcess created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe "C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC --exeName=MSTeamsSetup_c_l_.exe --bootstrapperModeJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe "C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe "C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2156 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
            Source: C:\Windows\SysWOW64\regsvr32.exeProcess created: C:\Windows\System32\regsvr32.exe /s /n /i:user "C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll"
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: slc.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: dlnashext.dllJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeSection loaded: wpdshext.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: msvcp140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: windowscodecs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: wtsapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: winsta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: powrprof.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: umpdc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dwmapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: d3d9.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: d3d10warp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dataexchange.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: d3d11.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dcomp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dxgi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: twinapi.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: resourcepolicyclient.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: dxcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: msctfui.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: uiautomationcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: d3dcompiler_47.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeSection loaded: explorerframe.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: dwrite.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: msvcp140_clr0400.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: ffmpeg.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: uiautomationcore.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dbghelp.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: msimg32.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: propsys.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dwrite.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: winhttp.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: secur32.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dhcpcsvc.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dbgcore.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: ffmpeg.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: uiautomationcore.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dbghelp.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: msimg32.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dwrite.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: winhttp.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: secur32.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dhcpcsvc.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: propsys.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dbgcore.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: msasn1.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: powrprof.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: umpdc.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: mswsock.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: kbdus.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: profapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: msvcp140.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: credui.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: wtsapi32.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: vcruntime140_1.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: vcruntime140.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: vcruntime140.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: vcruntime140_1.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: duser.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: atlthunk.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: textshaping.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: textinputframework.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: coreuicomponents.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: coremessaging.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: wintypes.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: wintypes.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: wintypes.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dpapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: nlaapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dnsapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: windows.ui.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: windowmanagementapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: inputhost.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: twinapi.appcore.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: twinapi.appcore.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: mmdevapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: devobj.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: winsta.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: mscms.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: coloradapterclient.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: gpapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: cryptnet.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: apphelp.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: aclayers.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: sfc_os.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: mscoree.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: msvcp140.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: vcruntime140.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: vcruntime140_1.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: vcruntime140.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: vcruntime140_1.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\regsvr32.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: apphelp.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: aclayers.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mpr.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: sfc_os.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: uxtheme.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: mscoree.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: msvcp140.dll
            Source: C:\Windows\SysWOW64\regsvr32.exeSection loaded: vcruntime140.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: ffmpeg.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: uiautomationcore.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dbghelp.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: msimg32.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dwrite.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: winhttp.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: secur32.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dhcpcsvc.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: propsys.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dbgcore.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: msasn1.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: powrprof.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: umpdc.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: mswsock.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dxgi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: mf.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: mfplat.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: rtworkq.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: msmpeg2vdec.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: mfperfhelper.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dxva2.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: msvproc.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dwmapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: ffmpeg.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: uiautomationcore.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dbghelp.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: msimg32.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: version.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: winmm.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: userenv.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dwrite.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: propsys.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: winhttp.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: secur32.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dhcpcsvc.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dbgcore.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: sspicli.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: msasn1.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: powrprof.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: umpdc.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: mswsock.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: kbdus.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: nlaapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: dnsapi.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: rasadhlp.dll
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Desktop\TMSSetup.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\TeamsJump to behavior
            Source: TMSSetup.exeStatic PE information: Image base 0x140000000 > 0x60000000
            Source: TMSSetup.exeStatic file information: File size 7692344 > 1048576
            Source: TMSSetup.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x158200
            Source: TMSSetup.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x5a9e00
            Source: TMSSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: TMSSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: TMSSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: TMSSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: TMSSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: TMSSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: TMSSetup.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: m,C:\Windows\System.pdb source: Update.exe, 00000005.00000002.3126596827.0000000007F59000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: netstandard.pdb.mdb source: Update.exe, 00000005.00000002.3098174267.0000000004D72000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000000.1690098324.0000000000BB2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000005.00000002.3098174267.0000000004C03000.00000004.00000800.00020000.00000000.sdmp, Squirrel.exe, 0000000A.00000000.2963107929.000000000084F000.00000002.00000001.01000000.0000000F.sdmp
            Source: Binary string: C:\Users\postman\Desktop\NZT\ProjectD_cpprest\CleanUp\Release\CleanUp.pdb source: TMSSetup.exe, TMSSetup.exe, 00000000.00000000.1664045615.00000001401FF000.00000002.00000001.01000000.00000003.sdmp
            Source: Binary string: C:\BITDIR\AVRETAIL\qhav\bin\Upgrade\x64\Release\upgui.pdb source: TMSSetup.exe, 00000000.00000002.1687414941.000000014003B000.00000002.00000001.01000000.00000003.sdmp, TMSSetup.exe, 00000000.00000000.1663892050.000000014003B000.00000002.00000001.01000000.00000003.sdmp
            Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: Update.exe, 00000005.00000002.3087782619.0000000001365000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: Update.exe, 00000005.00000002.3110632304.00000000061E5000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: D:\a\_work\1\s\src\Setup\bin\Release\Setup.pdb/ source: TMSSetup.exe, 00000000.00000000.1664045615.00000001401FF000.00000002.00000001.01000000.00000003.sdmp, MSTeamsSetup_c_l_.exe, 00000003.00000000.1685400502.0000000000326000.00000002.00000001.01000000.00000006.sdmp, MSTeamsSetup_c_l_.exe, 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmp, MSTeamsSetup_c_l_.exe, 00000004.00000002.3131881323.0000000000326000.00000002.00000001.01000000.00000006.sdmp, MSTeamsSetup_c_l_.exe, 00000004.00000000.1687568862.0000000000326000.00000002.00000001.01000000.00000006.sdmp
            Source: Binary string: D:\a\_work\1\s\src\Setup\bin\Release\Setup.pdb source: TMSSetup.exe, TMSSetup.exe, 00000000.00000000.1664045615.00000001401FF000.00000002.00000001.01000000.00000003.sdmp, MSTeamsSetup_c_l_.exe, 00000003.00000000.1685400502.0000000000326000.00000002.00000001.01000000.00000006.sdmp, MSTeamsSetup_c_l_.exe, 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmp, MSTeamsSetup_c_l_.exe, 00000004.00000002.3131881323.0000000000326000.00000002.00000001.01000000.00000006.sdmp, MSTeamsSetup_c_l_.exe, 00000004.00000000.1687568862.0000000000326000.00000002.00000001.01000000.00000006.sdmp
            Source: Binary string: \??\C:\Windows\System.pdb source: Update.exe, 00000005.00000002.3124418916.0000000007B51000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: m.pdb source: Update.exe, 00000005.00000002.3126596827.0000000007F59000.00000004.00000010.00020000.00000000.sdmp
            Source: Binary string: System.pdb source: Update.exe, 00000005.00000002.3087782619.0000000001365000.00000004.00000020.00020000.00000000.sdmp
            Source: TMSSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: TMSSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: TMSSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: TMSSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: TMSSetup.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002FE7E8 LoadLibraryW,GetProcAddress,lstrlenW,lstrlenW,CoInitialize,InitCommonControlsEx,MessageBoxW,GetModuleHandleW,GetModuleFileNameW,lstrlenW,CoUninitialize,3_2_002FE7E8
            Source: Update.exe.5.drStatic PE information: real checksum: 0x282500 should be: 0x28228a
            Source: CleanUp.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x424b01
            Source: TMSSetup.exeStatic PE information: section name: _RDATA
            Source: TMSSetup.exeStatic PE information: section name: e^u>z^
            Source: WebView2Loader.dll.5.drStatic PE information: section name: .00cfg
            Source: WebView2Loader.dll.5.drStatic PE information: section name: .voltbl
            Source: vcruntime140.dll.5.drStatic PE information: section name: _RDATA
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe "C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll"
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_006042DF push rax; ret 0_2_00604349
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F0098 push rsi; retf 0_2_005F00A3
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F0090 push 898E44CBh; retf 0_2_005F0097
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_00604398 push rax; ret 0_2_00604349
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_0030451A push ecx; ret 3_2_0030452D
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_00304B36 push ecx; ret 3_2_00304B49
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_01623540 push es; ret 5_2_0162355A
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_0179E0AA push esp; ret 5_2_0179E0B3
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_0179C200 push eax; mov dword ptr [esp], edx5_2_0179C214
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_057A43AF push esp; retn 056Bh5_2_057A4771
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_0799862C pushfd ; iretd 5_2_07998E21
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_0799601D pushfd ; iretd 5_2_07996021
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_07998DF3 pushfd ; iretd 5_2_07998E21
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_07998DE3 pushad ; iretd 5_2_07998DF1
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeCode function: 5_2_07998DE3 pushfd ; iretd 5_2_07998E21
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002F136F __EH_prolog3_GS,GetActiveWindow,GetTempPathW,GetTempFileNameW,_wcsrchr,MoveFileW,CoCreateInstance,URLDownloadToFileW,ShellExecuteExW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,DeleteFileW,3_2_002F136F
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Web.WebView2.WinForms.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\sr-Latn-RS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Web.WebView2.WinForms.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.Tokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\pl-PL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\TeamsIconSet.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.IdentityModel.JsonWebTokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\nl-NL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\it-IT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\fi-FI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\tr-TR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\pt-PT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\fr-FR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.IdentityModel.Tokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\pt-BR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-file-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\vcruntime140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\he-IL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.IdentityModel.Logging.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Teams.AuthLib.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\AddinInstaller.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\vcomp140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\en-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\es-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Teams.MeetingAddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\hr-HR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\de-DE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\System.IdentityModel.Tokens.Jwt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.JsonWebTokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\is-IS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\de-DE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Web.WebView2.Core.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\msft-wam\build\Release\wam.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\keytar4\build\Release\keytar.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\sv-SE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ko-KR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\sr-Latn-RS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\fr-FR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\pt-PT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\nb-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@skype\call-manager\build\Release\call_manager.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\runtimes\win-x86\native\WebView2Loader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\es-MX\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\libEGL.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ca-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\lv-LV\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\el-GR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\th-TH\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ru-RU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\uk-UA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\da-DK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.Logging.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\bg-BG\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Web.WebView2.WinForms.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Web.WebView2.WinForms.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\th-TH\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\msvcp140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ja-JP\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\vi-VN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140_2.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\cs-CZ\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\nn-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\es-MX\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\fr-CA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.IdentityModel.Logging.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@microsoft\fasttext-languagedetector\build\Release\fastText-languagedetector.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\concrt140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\cs-CZ\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\lv-LV\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\msvcp140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\vi-VN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\da-DK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\onnxruntime.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\lt-LT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\pl-PL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\nb-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmMediaManager.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\uk-UA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\keyboard-layout\build\Release\keyboard-layout-manager.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\lt-LT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\et-EE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\packages\RELEASES.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\adal2-meetingaddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\et-EE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\SlimCV.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ja-JP\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sl-SI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\da-DK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sv-SE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Applications.Telemetry.Windows.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ar-SA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\System.IdentityModel.Tokens.Jwt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\tr-TR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140_atomic_wait.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\zh-CN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\modern-osutils\build\Release\modern-osutils.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ro-RO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\zh-TW\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ko-KR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.Diagnostics.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\he-IL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\native-utils\build\Release\native-utils.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\AddinInstaller.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\uk-UA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\sk-SK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\id-ID\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\adal2-meetingaddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Web.WebView2.Core.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\pt-BR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\et-EE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\hu-HU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\bg-BG\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\vdibridge.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\cy-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\System.Net.Http.Formatting.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140_1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.IdentityModel.JsonWebTokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ca-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\fr-CA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\AddinInstaller.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\hr-HR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\sk-SK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\System.Net.Http.Formatting.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\nn-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\el-GR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\OneAuth.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Teams.Diagnostics.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\it-IT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\registry-utils\build\Release\registry-utils.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\nl-NL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\sl-SI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\is-IS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\msvcp140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\System.IdentityModel.Tokens.Jwt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-file-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\runtimes\win-x86\native\WebView2Loader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\es-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.Diagnostics.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\AddinInstaller.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\vk_swiftshader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\it-IT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Web.WebView2.Core.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\zh-TW\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\he-IL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\adal34-win\build\Release\adal-win.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\System.IdentityModel.Tokens.Jwt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ar-SA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Teams.AuthLib.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\OneAuth.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Teams.Diagnostics.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\zh-CN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\bg-BG\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ja-JP\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\is-IS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\m365-browser\build\Release\m365-browser.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.MeetingAddin.dllJump to dropped file
            Source: C:\Users\user\Desktop\TMSSetup.exeFile created: C:\Users\user\AppData\Local\Temp\CleanUp.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\hr-HR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\nb-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\System.Net.Http.Formatting.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\zh-CN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\nn-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\msvcp140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Web.WebView2.Core.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Applications.Telemetry.Windows.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\slimcore.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ar-SA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Teams.AddinLoader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\cs-CZ\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\vi-VN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\adal34-win\build\Release\adal.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ca-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\es-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.IdentityModel.Tokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Web.WebView2.Wpf.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\cy-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\zh-TW\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\et-EE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\tr-TR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ro-RO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\runtimes\win-x64\native\WebView2Loader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\nn-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Applications.Telemetry.Windows.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.AuthLib.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\nl-NL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\fr-FR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\pt-PT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\oneauth\lib\oneauth.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmControl.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\office-int-win\build\Release\office-int-win.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\es-MX\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.MeetingAddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\el-GR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\el-GR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ru-RU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\pl-PL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\uk-UA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\da-DK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\sr-Latn-RS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ru-RU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\fi-FI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\lt-LT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\runtimes\win-x64\native\WebView2Loader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@microsoft\electron-windows-interactive-notifications\build\Release\InteractiveNotifications.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\vcruntime140_1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ko-KR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\adal2-meetingaddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\de-DE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-util-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Web.WebView2.Wpf.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\pl-PL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\lv-LV\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\lt-LT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\libGLESv2.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\vcruntime140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ca-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\fi-FI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\th-TH\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\adal2-meetingaddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ko-KR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\ucrtbase.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\fr-FR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\hu-HU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\vulkan-1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\en-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\pt-PT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\lv-LV\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\en-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\id-ID\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\th-TH\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\vcruntime140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\d3dcompiler_47.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-file-l2-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\bg-BG\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\hu-HU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\id-ID\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\hr-HR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.IdentityModel.Logging.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\es-MX\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\vcruntime140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@microsoft\electron-windows-interactive-notifications\build\Release\notifications_bindings.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\vcruntime140_1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ja-JP\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\cs-CZ\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Applications.Telemetry.Windows.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\vi-VN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\en-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.IdentityModel.JsonWebTokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-console-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Web.WebView2.Wpf.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\Update.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sr-Latn-RS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sk-SK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\nb-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmPal.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\System.Net.Http.Formatting.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\tr-TR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\fr-CA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\vcruntime140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\it-IT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\sl-SI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\fi-FI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\OneAuth.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\pt-BR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\ffmpeg.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\cy-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\media-hid\build\Release\media-hid.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmCodecs.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ru-RU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-console-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\id-ID\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ro-RO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\de-DE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\he-IL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\zh-TW\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\sv-SE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\hu-HU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@msteams\package-utils\build\Release\package-utils.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\vccorlib140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\vcruntime140_1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\es-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.AddinLoader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\sl-SI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\ssScreenVVS2.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\sharing-indicator.nodeJump to dropped file
            Source: C:\Users\user\Desktop\TMSSetup.exeFile created: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeFile created: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\is-IS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\sv-SE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.IdentityModel.Tokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ro-RO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\fr-CA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\OneAuth.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\sk-SK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AuthLib.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\pt-BR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Teams.MeetingAddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ar-SA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\nl-NL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140_codecvt_ids.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\cy-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RTMPLTFM.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Web.WebView2.Wpf.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\skypert.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\zh-CN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\vdibridge.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@microsoft\fasttext-languagedetector\build\Release\fastText-languagedetector.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\m365-browser\build\Release\m365-browser.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@msteams\package-utils\build\Release\package-utils.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\media-hid\build\Release\media-hid.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@skype\call-manager\build\Release\call_manager.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\adal34-win\build\Release\adal-win.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\modern-osutils\build\Release\modern-osutils.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\msft-wam\build\Release\wam.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\native-utils\build\Release\native-utils.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\office-int-win\build\Release\office-int-win.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\oneauth\lib\oneauth.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\keyboard-layout\build\Release\keyboard-layout-manager.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\registry-utils\build\Release\registry-utils.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\keytar4\build\Release\keytar.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\sharing-indicator.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@microsoft\electron-windows-interactive-notifications\build\Release\notifications_bindings.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\slimcore.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeFile created: C:\Users\user\AppData\Local\SquirrelTemp\SquirrelSetup.logJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeFile created: C:\Users\user\AppData\Local\Microsoft\Teams\current\SquirrelSetup.logJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F2010 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005F2010
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Contain functionality to detect virtual machines
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: SOFTWARE\VMware, Inc.\VMware VDM SOFTWARE\VMware, Inc.\VMware VDM 3_2_002FA1C0
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeMemory allocated: 1790000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeMemory allocated: 32E0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeMemory allocated: 30F0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeMemory allocated: 12C0000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeMemory allocated: 2D30000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeMemory allocated: 4D30000 memory reserve | memory write watchJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 187240Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 197619Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 188917Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 193214Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 208634Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 184214Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 186510Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 195240Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 204752Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 201160Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 193606Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 183779Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 191394Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 209618Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 209963Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 190977Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 200336Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 190675Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 203949Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 186542Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 208808Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180434Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 204000Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 198709Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 206026Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 195393Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 188779Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 188246Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180946Jump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeWindow / User API: threadDelayed 6352Jump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeWindow / User API: threadDelayed 3366Jump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeWindow / User API: threadDelayed 9136Jump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Web.WebView2.WinForms.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\sr-Latn-RS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Web.WebView2.WinForms.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.Tokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\pl-PL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\TeamsIconSet.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.IdentityModel.JsonWebTokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\nl-NL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\it-IT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\tr-TR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\fi-FI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\pt-PT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\fr-FR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.IdentityModel.Tokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\pt-BR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-file-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\he-IL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.IdentityModel.Logging.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Teams.AuthLib.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\AddinInstaller.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\vcomp140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\en-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\es-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Teams.MeetingAddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\hr-HR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\System.IdentityModel.Tokens.Jwt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\de-DE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.JsonWebTokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\is-IS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\de-DE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Web.WebView2.Core.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\msft-wam\build\Release\wam.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\keytar4\build\Release\keytar.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ko-KR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\sv-SE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\sr-Latn-RS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\fr-FR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\nb-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\pt-PT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@skype\call-manager\build\Release\call_manager.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\runtimes\win-x86\native\WebView2Loader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\es-MX\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\libEGL.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ca-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\el-GR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\lv-LV\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\th-TH\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ru-RU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\uk-UA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.Logging.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\da-DK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\bg-BG\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Web.WebView2.WinForms.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Web.WebView2.WinForms.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\th-TH\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ja-JP\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\vi-VN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140_2.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\cs-CZ\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\nn-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\es-MX\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\fr-CA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.IdentityModel.Logging.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\concrt140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@microsoft\fasttext-languagedetector\build\Release\fastText-languagedetector.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\cs-CZ\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\lv-LV\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\vi-VN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\da-DK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\onnxruntime.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\lt-LT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\pl-PL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\nb-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmMediaManager.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\uk-UA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\keyboard-layout\build\Release\keyboard-layout-manager.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\lt-LT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\et-EE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\packages\RELEASES.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\adal2-meetingaddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\et-EE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\SlimCV.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ja-JP\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sl-SI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sv-SE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Applications.Telemetry.Windows.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\da-DK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ar-SA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\System.IdentityModel.Tokens.Jwt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140_atomic_wait.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\tr-TR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\zh-CN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\modern-osutils\build\Release\modern-osutils.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ro-RO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\zh-TW\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ko-KR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\native-utils\build\Release\native-utils.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.Diagnostics.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\he-IL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\AddinInstaller.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\uk-UA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\sk-SK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\adal2-meetingaddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\id-ID\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Web.WebView2.Core.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\pt-BR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\et-EE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\hu-HU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\bg-BG\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\vdibridge.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\cy-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\System.Net.Http.Formatting.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140_1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.IdentityModel.JsonWebTokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ca-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\fr-CA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\AddinInstaller.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\hr-HR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\sk-SK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\System.Net.Http.Formatting.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\nn-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\OneAuth.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\el-GR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Teams.Diagnostics.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\it-IT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\registry-utils\build\Release\registry-utils.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\nl-NL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\sl-SI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\is-IS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\System.IdentityModel.Tokens.Jwt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-file-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\es-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\runtimes\win-x86\native\WebView2Loader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.Diagnostics.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\vk_swiftshader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\AddinInstaller.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Web.WebView2.Core.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\it-IT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\zh-TW\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\adal34-win\build\Release\adal-win.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\he-IL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\System.IdentityModel.Tokens.Jwt.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Teams.AuthLib.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ar-SA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\OneAuth.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Teams.Diagnostics.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\zh-CN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\bg-BG\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ja-JP\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\is-IS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\m365-browser\build\Release\m365-browser.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.MeetingAddin.dllJump to dropped file
            Source: C:\Users\user\Desktop\TMSSetup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\CleanUp.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\nb-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\hr-HR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\System.Net.Http.Formatting.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\zh-CN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\nn-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Web.WebView2.Core.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Applications.Telemetry.Windows.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\slimcore.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ar-SA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Teams.AddinLoader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\cs-CZ\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\vi-VN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\adal34-win\build\Release\adal.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ca-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\es-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.IdentityModel.Tokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\cy-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Web.WebView2.Wpf.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\zh-TW\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\et-EE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\tr-TR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ro-RO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\runtimes\win-x64\native\WebView2Loader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\nn-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Applications.Telemetry.Windows.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\fr-FR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\nl-NL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.AuthLib.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\pt-PT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmControl.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\oneauth\lib\oneauth.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\office-int-win\build\Release\office-int-win.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\es-MX\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.MeetingAddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\el-GR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\el-GR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ru-RU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\pl-PL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\uk-UA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\da-DK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\sr-Latn-RS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ru-RU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\fi-FI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@microsoft\electron-windows-interactive-notifications\build\Release\InteractiveNotifications.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\runtimes\win-x64\native\WebView2Loader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\lt-LT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ko-KR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\adal2-meetingaddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\de-DE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-util-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Web.WebView2.Wpf.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\pl-PL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\lv-LV\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\lt-LT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\libGLESv2.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ca-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\fi-FI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\th-TH\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\adal2-meetingaddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ko-KR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\fr-FR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\hu-HU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\vulkan-1.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\en-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\pt-PT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\lv-LV\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\en-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\id-ID\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\th-TH\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-file-l2-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\bg-BG\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\hu-HU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\hr-HR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\id-ID\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.IdentityModel.Logging.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\es-MX\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@microsoft\electron-windows-interactive-notifications\build\Release\notifications_bindings.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ja-JP\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\cs-CZ\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Applications.Telemetry.Windows.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\en-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\vi-VN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.IdentityModel.JsonWebTokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-console-l1-2-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Web.WebView2.Wpf.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sr-Latn-RS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sk-SK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\nb-NO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmPal.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\System.Net.Http.Formatting.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\tr-TR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\fr-CA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Newtonsoft.Json.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\sl-SI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\it-IT\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\fi-FI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\OneAuth.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\pt-BR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\media-hid\build\Release\media-hid.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\cy-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmCodecs.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-console-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ru-RU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\id-ID\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ro-RO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\de-DE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\he-IL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\zh-TW\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\hu-HU\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\sv-SE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@msteams\package-utils\build\Release\package-utils.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\vccorlib140.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\es-ES\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.AddinLoader.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\sl-SI\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\ssScreenVVS2.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\sharing-indicator.nodeJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\is-IS\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\sv-SE\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.IdentityModel.Tokens.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ro-RO\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\fr-CA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\OneAuth.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\sk-SK\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AuthLib.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\pt-BR\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Teams.MeetingAddin.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ar-SA\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\nl-NL\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140_codecvt_ids.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RTMPLTFM.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\cy-GB\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Web.WebView2.Wpf.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\skypert.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\zh-CN\Microsoft.Teams.MeetingAddin.resources.dllJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_3-24566
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeAPI coverage: 6.5 %
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7348Thread sleep count: 91 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7348Thread sleep time: -83932685535378407s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -91148s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -158066s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -114003s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -187240s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -160616s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -148104s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -132684s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -197619s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -188917s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -179845s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -111718s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -193214s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -175549s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -152110s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -127175s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -92783s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -101876s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -134369s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -108530s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -110741s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -208634s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -144037s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -105170s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -91555s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -92060s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -135967s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -154267s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -158970s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -162609s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -163252s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -110781s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -169902s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -144643s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -132902s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -97787s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -163314s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -184214s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -186510s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -152866s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -126932s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -195240s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -177474s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -204752s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -201160s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -155183s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -107938s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -145987s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -119004s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -193606s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -115942s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -183779s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -191394s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -209618s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -209963s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -163768s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -137700s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -122679s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -126376s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -190977s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -93825s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -135728s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -102022s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -171587s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -97689s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -92045s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -200336s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -123830s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -123474s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -160961s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -173250s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -190675s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -177452s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -148707s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -115437s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -179504s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -146746s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -145497s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -203949s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -179588s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -103885s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -162286s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -136842s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -178465s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -163466s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -159116s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -133999s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -109035s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -117787s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -141593s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -186542s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -152535s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -208808s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -180434s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -132121s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -111108s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -169219s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -149535s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -98561s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -174271s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -151071s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -108552s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -204000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -107847s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -198709s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -173454s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -127062s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -141760s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -99374s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -206026s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -172299s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -109234s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -195393s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -188779s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -160263s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -113770s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -112169s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -188246s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -147556s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -109510s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -150966s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -178110s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -139265s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -124270s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -158680s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -172186s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -180946s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -176907s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -147560s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exe TID: 7324Thread sleep time: -105639s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 7468Thread sleep time: -4611686018427385s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe TID: 7528Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe TID: 7896Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe TID: 7896Thread sleep time: -30437127721620741s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe TID: 7924Thread sleep count: 131 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe TID: 7904Thread sleep count: 265 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe TID: 5252Thread sleep count: 9136 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe TID: 7964Thread sleep count: 196 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystemProduct
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002F6982 SHGetFolderPathW,CreateDirectoryW,GetLastError,SHGetFolderPathW,GetUserNameW,GetLastError,CreateDirectoryW,GetLastError,FindResourceW,LoadResource,SizeofResource,LockResource,DeleteFileW,FreeResource,GetFileAttributesW,GetModuleHandleW,GetModuleFileNameW,PathFileExistsW,CopyFileW,FindFirstFileW,GetLastError,FindClose,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,DeleteFileW,CloseHandle,CloseHandle,FreeResource,3_2_002F6982
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 91148Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 158066Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 114003Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 187240Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 160616Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 148104Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 132684Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 197619Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 188917Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 179845Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 111718Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 193214Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 175549Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 152110Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 127175Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 92783Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 101876Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 134369Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 108530Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 110741Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 208634Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 144037Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 105170Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 91555Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 92060Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 135967Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 154267Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 158970Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 162609Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 163252Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 110781Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 169902Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 144643Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 132902Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 97787Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 163314Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 184214Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 186510Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 152866Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 126932Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 195240Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 177474Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 204752Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 201160Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 155183Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 107938Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 145987Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 119004Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 193606Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 115942Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 183779Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 191394Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 209618Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 209963Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 163768Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 137700Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 122679Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 126376Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 190977Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 93825Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 135728Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 102022Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 171587Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 97689Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 92045Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 200336Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 123830Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 123474Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 160961Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 173250Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 190675Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 177452Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 148707Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 115437Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 179504Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 146746Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 145497Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 203949Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 179588Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 103885Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 162286Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 136842Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 178465Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 163466Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 159116Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 133999Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 109035Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 117787Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 141593Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 186542Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 152535Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 208808Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180434Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 132121Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 111108Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 169219Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 149535Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 98561Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 174271Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 151071Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 108552Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 204000Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 107847Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 198709Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 173454Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 127062Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 141760Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 99374Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 206026Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 172299Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 109234Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 195393Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 188779Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 160263Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 113770Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 112169Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 188246Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 147556Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 109510Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 150966Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 178110Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 139265Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 124270Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 158680Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 172186Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 180946Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 176907Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 147560Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeThread delayed: delay time: 105639Jump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Teams\current
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile opened: C:\Users\user
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Teams
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile opened: C:\Users\user\AppData
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile opened: C:\Users\user\AppData\Local
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeFile opened: C:\Users\user\AppData\Local\Microsoft
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD5CB000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: VMware Virtual Webcam
            Source: Update.exe, 00000005.00000002.3088277075.0000000001387000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d\[ddddddaddNdddddddddddddddddd`dddddddddddddbdd_dddddddddddddddddddddbcdddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddtringComputer System ProductComputer System Product4HMVLN71434D56-1548-ED3D-AEE6-C75AECD93BF0VMware, Inc.None++>N?"
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7ACCE4000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: VMware Fusion 4 has corrupt rendering with Win Vista+
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD5CB000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: VMnet
            Source: MSTeamsSetup_c_l_.exe, 00000004.00000000.1687568862.0000000000326000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: vmware
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7ACCE4000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: VMware, Inc.
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7ACCE4000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: VMware Inc.
            Source: Update.exe, 00000005.00000002.3109758640.0000000006160000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD5CB000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: eb1a:2860eb1a:28201ce6:282012ab:03801943:22530c45:64d00c45:64d21bcf:298504ca:704704ca:704804f2:b3ed04f2:b3ca05c8:035d05c8:036904ca:709513d3:52570bda:57f20fd9:0066VMware Virtual WebcamMedia.VideoCapture.BlacklistedDeviceGoogle Camera AdapterIP Camera [JPEG/MJPEG]CyberLink Webcam SplitterEpocCam../../media/capture/video/video_capture_metrics.ccDevice supports Media.VideoCapture.Device.SupportedPixelFormatMedia.VideoCapture.Device.SupportedResolution
            Source: MSTeamsSetup_c_l_.exe, 00000004.00000000.1687568862.0000000000326000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: F: Unknown exceptionstring too longSOFTWARE\Citrix\PortICAPorticaV2SOFTWARE\VMware, Inc.\VMware VDMAgentInstallPathSOFTWARE\Microsoft\TeamsIsWVDEnvironmentcitrix-xen-desktopcitrix-xen-appvmwarewvdnoneLOCALAPPDATA\SquirrelTemp\SquirrelSetup.log%Y-%m-%d %H:%M:%S> Setup: 1
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7ACCE4000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: Gearway Electronics (Dong Guan) Co., Ltd.VMware Inc.Olimex Ltd.
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7ACCE4000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: Qemu Audio Device
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD5CB000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: Access-Control-Allow-Credentials: trueNet.RedirectChainLengthurl_chainload_state_paramdelegate_blocked_byhas_uploadis_pendingDelegateNet.URLRequest.ReferrerPolicyForRequest.SameOriginNet.URLRequest.ReferrerHasInformativePath.SameOriginNet.URLRequest.ReferrerPolicyForRequest.CrossOriginNet.URLRequest.ReferrerHasInformativePath.CrossOrigin../../net/url_request/url_request_job.ccOnDonenum_failuresrelease_after_msThrottling.RequestThrottled../../net/base/network_interfaces_win.ccWlanApiwlanapi.dllWlanQueryInterfaceWlanSetInterfaceVMnetGetAdaptersAddresses failed: 8<f
            Source: MSTeamsSetup_c_l_.exeBinary or memory string: SOFTWARE\VMware, Inc.\VMware VDM
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD8D9000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7ACCE4000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: VMware can crash with older drivers and WebGL content
            Source: C:\Users\user\Desktop\TMSSetup.exeAPI call chain: ExitProcess graph end nodegraph_0-4617
            Source: C:\Users\user\Desktop\TMSSetup.exeAPI call chain: ExitProcess graph end nodegraph_0-5712
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F6638 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_005F6638
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F6638 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_005F6638
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002FE7E8 LoadLibraryW,GetProcAddress,lstrlenW,lstrlenW,CoInitialize,InitCommonControlsEx,MessageBoxW,GetModuleHandleW,GetModuleFileNameW,lstrlenW,CoUninitialize,3_2_002FE7E8
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_00310CC3 mov eax, dword ptr fs:[00000030h]3_2_00310CC3
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F22A8 GetProcessHeap,0_2_005F22A8
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F3238 SetUnhandledExceptionFilter,UnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005F3238
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005FC140 SetUnhandledExceptionFilter,0_2_005FC140
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_00304760 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00304760
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_003048F3 SetUnhandledExceptionFilter,3_2_003048F3
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_00308A5F IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00308A5F
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_00303ADC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_00303ADC
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 64.95.10.243 443Jump to behavior
            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 149.248.79.62 443Jump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeProcess created: C:\Windows\System32\rundll32.exe "C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\CleanUp.dll", TestJump to behavior
            Source: C:\Users\user\Desktop\TMSSetup.exeProcess created: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe "C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe" Jump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe "C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe "C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2156 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe "c:\users\user\appdata\local\microsoft\teams\current\teams.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\microsoft\teams" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1700 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe "c:\users\user\appdata\local\microsoft\teams\current\teams.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\microsoft\teams" --mojo-platform-channel-handle=2156 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe "c:\users\user\appdata\local\microsoft\teams\current\teams.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\microsoft\teams" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1700 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeProcess created: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe "c:\users\user\appdata\local\microsoft\teams\current\teams.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\microsoft\teams" --mojo-platform-channel-handle=2156 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7ACCE4000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: ../../electron/shell/browser/ui/views/electron_views_delegate_win.ccGetAppbarAutohideEdgesShell_TrayWnd
            Source: Teams.exe, 0000000B.00000000.2995831579.00007FF7AD8D9000.00000002.00000001.01000000.00000010.sdmpBinary or memory string: ?@../../third_party/webrtc/modules/desktop_capture/win/cursor.ccCreateMouseCursorFromHCursorUnable to get cursor icon info. Error = Unable to get bitmap info. Error = Unable to get bitmap bits. Error = DwmIsCompositionEnabledDwmGetWindowAttribute../../third_party/webrtc/modules/desktop_capture/win/window_capture_utils.ccFail to create instance of VirtualDesktopManagerChrome_WidgetWin_Progman
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_00304949 cpuid 3_2_00304949
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: GetLocaleInfoW,3_2_0031F210
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,3_2_0031F339
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: GetLocaleInfoW,3_2_0031F440
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: GetLocaleInfoW,3_2_003154CF
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,3_2_0031F50D
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,3_2_0031EBC2
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: EnumSystemLocalesW,3_2_0031EE49
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: EnumSystemLocalesW,3_2_0031EE94
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: EnumSystemLocalesW,3_2_0031EF2F
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: EnumSystemLocalesW,3_2_00314FE6
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,3_2_0031EFC0
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Caching.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Users\user\AppData\Local\SquirrelTemp\downloading.gif VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Users\user\AppData\Local\SquirrelTemp\downloading.gif VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Users\user\AppData\Local\SquirrelTemp\background.gif VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Users\user\AppData\Local\SquirrelTemp\background.gif VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Users\user\AppData\Local\SquirrelTemp\background.gif VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exeQueries volume information: C:\Users\user\AppData\Local\SquirrelTemp\background.gif VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Caching\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.Caching.dll VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Teams\Update.exe VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Users VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Users\user VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Users\user\AppData VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Teams VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Teams\current VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Teams VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Teams VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
            Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
            Source: C:\Users\user\Desktop\TMSSetup.exeCode function: 0_2_005F2AA8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_005F2AA8
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_002F248F GetModuleHandleW,GetModuleFileNameW,SHGetFolderPathW,SHGetFolderPathW,GetUserNameW,3_2_002F248F
            Source: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exeCode function: 3_2_003162F9 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,3_2_003162F9
            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Disable or Modify Tools            		11
            Input Capture            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		21
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault Accounts2
            Native API            		Boot or Logon Initialization Scripts1
            Access Token Manipulation            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory1
            Account Discovery            		Remote Desktop Protocol11
            Input Capture            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts13
            Command and Scripting Interpreter            		Logon Script (Windows)112
            Process Injection            		2
            Obfuscated Files or Information            		Security Account Manager3
            File and Directory Discovery            		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDS64
            System Information Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
            Masquerading            		LSA Secrets1
            Query Registry            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts141
            Virtualization/Sandbox Evasion            		Cached Domain Credentials141
            Security Software Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync1
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
            Process Injection            		Proc Filesystem141
            Virtualization/Sandbox Evasion            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
            Regsvr32            		/etc/passwd and /etc/shadow1
            Application Window Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
            Rundll32            		Network Sniffing1
            System Owner/User Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
            Remote System Discovery            		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1459800 Sample: TMSSetup.exe Startdate: 20/06/2024 Architecture: WINDOWS Score: 68 69 Multi AV Scanner detection for submitted file 2->69 71 PE file contains section with special chars 2->71 73 Yara detected Generic Downloader 2->73 8 MSTeamsSetup_c_l_.exe 5 2->8         started        11 TMSSetup.exe 3 2->11         started        process3 file4 41 C:\Users\user\AppData\Local\...\Update.exe, PE32 8->41 dropped 13 Update.exe 14 208 8->13         started        43 C:\Users\user\...\MSTeamsSetup_c_l_.exe, PE32 11->43 dropped 45 C:\Users\user\AppData\Local\...\CleanUp.dll, PE32 11->45 dropped 17 rundll32.exe 11->17         started        19 MSTeamsSetup_c_l_.exe 11->19         started        process5 dnsIp6 63 104.208.16.95 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->63 65 20.42.65.88 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 13->65 67 7 other IPs or domains 13->67 47 C:\Users\user\AppData\Local\...\Squirrel.exe, PE32 13->47 dropped 49 C:\Users\user\AppData\Local\...\Update.exe, PE32 13->49 dropped 51 C:\Users\user\AppData\Local\...\RELEASES.exe, PE32 13->51 dropped 53 343 other files (none is malicious) 13->53 dropped 22 Teams.exe 13->22         started        24 Squirrel.exe 14 4 13->24         started        27 regsvr32.exe 13->27         started        32 2 other processes 13->32 29 rundll32.exe 17->29         started        75 Contain functionality to detect virtual machines 19->75 file7 signatures8 process9 dnsIp10 34 Teams.exe 22->34         started        37 Teams.exe 22->37         started        57 20.42.73.30 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 24->57 39 regsvr32.exe 27->39         started        59 149.248.79.62 COEXTRO-01CA Canada 29->59 61 64.95.10.243 BRAHMAN-NYUS United States 29->61 77 System process connects to network (likely due to code injection or exploit) 29->77 signatures11 process12 dnsIp13 55 172.64.41.3 CLOUDFLARENETUS United States 34->55

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            TMSSetup.exe53%ReversingLabsWin64.Trojan.OysterLoader

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\AddinInstaller.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Applications.Telemetry.Windows.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.JsonWebTokens.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.Logging.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.Tokens.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AuthLib.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.Diagnostics.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.MeetingAddin.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Web.WebView2.Core.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Web.WebView2.WinForms.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Web.WebView2.Wpf.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Newtonsoft.Json.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\OneAuth.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\System.IdentityModel.Tokens.Jwt.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\System.Net.Http.Formatting.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\adal2-meetingaddin.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ar-SA\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\bg-BG\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ca-ES\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\cs-CZ\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\cy-GB\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\da-DK\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\de-DE\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\el-GR\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\en-GB\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\es-ES\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\es-MX\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\et-EE\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\fi-FI\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\fr-CA\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\fr-FR\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\he-IL\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\hr-HR\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\hu-HU\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\id-ID\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\is-IS\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\it-IT\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ja-JP\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ko-KR\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\lt-LT\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\lv-LV\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\msvcp140.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\nb-NO\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\nl-NL\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\nn-NO\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\pl-PL\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\pt-BR\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\pt-PT\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ro-RO\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ru-RU\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\runtimes\win-x64\native\WebView2Loader.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sk-SK\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sl-SI\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sr-Latn-RS\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sv-SE\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\th-TH\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\tr-TR\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\uk-UA\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\vcruntime140.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\vcruntime140_1.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\vi-VN\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\zh-CN\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\zh-TW\Microsoft.Teams.MeetingAddin.resources.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\AddinInstaller.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Applications.Telemetry.Windows.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.IdentityModel.JsonWebTokens.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.IdentityModel.Logging.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.IdentityModel.Tokens.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.AddinLoader.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.AuthLib.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.Diagnostics.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.MeetingAddin.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Web.WebView2.Core.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Web.WebView2.WinForms.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Web.WebView2.Wpf.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Newtonsoft.Json.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\OneAuth.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\System.IdentityModel.Tokens.Jwt.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\System.Net.Http.Formatting.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\adal2-meetingaddin.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/pt-PT/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/tempfiles/sample.pngd0%Avira URL Cloudsafe
            http://defaultcontainer/tempfiles/sample.exe0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/locales/locale-az-latn-az.json0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/tr.pakd0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/tr.pak0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/api-ms-win-crt-heap-l1-1-0.dll0%Avira URL Cloudsafe
            https://github.com/myuser/myrepo0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/assets/Badge_2.pngd0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/assets/Badge_6.png0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/nl-NL/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/api-ms-win-core-console-l1-2-0.dlld0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/vulkan-1.dlld0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/api-ms-win-core-errorhandling-l1-1-0.dll0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/app.asar0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Newtonsoft.Json.dll0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/es-MX/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/assets/20x20-dnd.png0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/fi.pak0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/locales/locale-gl-es.json0%Avira URL Cloudsafe
            http://defaultcontainer/tempfiles/sample.shasumd0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/assets/Taskbar.png0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/Update.VisualElementsManifest.xml0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/en-GB.pakd0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/locales/locale-ar-sa.json0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/msvcp140.dlld0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/assets/msix/teams-app-icon-44.pngd0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/runtimes/win-x64/native/We0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/pl-PL/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/locales/locale-nn-no.jsond0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/kn.pak0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/locales/locale-ro-ro.jsond0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/es-419.pak0%Avira URL Cloudsafe
            http://schemas.openxmlformats.or0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/en-GB.pak0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/he.pak0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/icudtl.datd0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/sk-SK/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/hr.pakd0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/Teams.exed0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/locales/locale-fil-ph.jsond0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/api-ms-win-crt-locale-l1-1-0.dlld0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/en-US.pak0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/ja.pak0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/ca.pak0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/api-ms-win-core-errorhandling-l1-1-0.dlld0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/assets/tlb/Uc.win32.tlbd0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/snapshot_blob.bind0%Avira URL Cloudsafe
            http://defaultcontainer/tempfiles/sample.pakd0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/locales/locale-zh-cn.jsond0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/v8_context_snapshot.bind0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/locales/locale-pseudo.json0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/nb-NO/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/nb-NO/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/msvcp140_2.dlld0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Microsoft.Web.WebView2.Wpf0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/locales/locale-en-au.json0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/api-ms-win-core-file-l1-2-0.dll0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/cm.slim0%Avira URL Cloudsafe
            http://defaultcontainer/Teams.nuspec0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/AddinInstaller.dlld0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/ro-RO/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/ro-RO/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/locales/locale-fi-fi.json0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/af.pakd0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/RTMPLTFM.dll0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/cm.slimd0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/assets/TeamsIconSet.dlld0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/vcruntime140.dll0%Avira URL Cloudsafe
            http://defaultcontainer/tempfiles/sample.png0%Avira URL Cloudsafe
            http://defaultcontainer/tempfiles/sample.xmld0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/nl-NL/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/api-ms-win-core-file-l2-1-0.dll0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/lv-LV/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/Squirrel.exed0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/tr-TR/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/assets/windows/TeamsLogo.contrast-white_scale-100.pngd0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/api-ms-win-core-interlocked-l1-1-0.dlld0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/de.pak0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/fa.pak0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/assets/Badge_7.png0%Avira URL Cloudsafe
            http://defaultcontainer/tempfiles/sample.asar0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/qm.slim0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/assets/msix/teams-app-icon-150.targetsize-150_altform-un0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/cs-CZ/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/libGLESv2.dll0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/OneAuth.dll0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/gu.pak0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/api-ms-win-core-debug-l1-1-0.dll0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/m365-browser/build/Releas0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/locales/locale-fr-fr.jsond0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/assets/20x20-available.png0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/es-MX/Microsoft.Teams.Meet0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/api-ms-win-core-timezone-l1-1-0.dll0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/locales/ko.pak0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/assets/12x12-dnd.pngd0%Avira URL Cloudsafe
            http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/sharing-indi0%Avira URL Cloudsafe
            http://defaultcontainer/tempfiles/sample.dlld0%Avira URL Cloudsafe
            http://defaultcontainer/tempfiles/sample.txtd0%Avira URL Cloudsafe
            http://defaultcontainer/tempfiles/sample.ftz0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://defaultcontainer/lib/net45/locales/tr.pakdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://github.com/myuser/myrepoUpdate.exe, 00000005.00000002.3098174267.0000000004D72000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000000.1690098324.0000000000BB2000.00000002.00000001.01000000.00000007.sdmp, Update.exe, 00000005.00000002.3098174267.0000000004C03000.00000004.00000800.00020000.00000000.sdmp, Squirrel.exe, 0000000A.00000000.2963107929.000000000084F000.00000002.00000001.01000000.0000000F.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/tr.pakUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/tempfiles/sample.pngdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/pt-PT/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/locales/locale-az-latn-az.jsonUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/assets/Badge_2.pngdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/api-ms-win-crt-heap-l1-1-0.dllUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/tempfiles/sample.exeUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/assets/Badge_6.pngUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/nl-NL/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/vulkan-1.dlldUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/api-ms-win-core-console-l1-2-0.dlldUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/app.asarUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/api-ms-win-core-errorhandling-l1-1-0.dllUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/es-MX/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/fi.pakUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Newtonsoft.Json.dllUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/assets/20x20-dnd.pngUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/locales/locale-gl-es.jsonUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/tempfiles/sample.shasumdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/en-GB.pakdUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/assets/Taskbar.pngUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/Update.VisualElementsManifest.xmlUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/assets/msix/teams-app-icon-44.pngdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/locales/locale-ar-sa.jsonUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/msvcp140.dlldUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/runtimes/win-x64/native/WeUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/pl-PL/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/locales/locale-nn-no.jsondUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/locales/locale-ro-ro.jsondUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://schemas.openxmlformats.orUpdate.exe, 00000005.00000002.3091408859.00000000036AC000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/kn.pakUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/he.pakUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/es-419.pakUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/en-GB.pakUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/hr.pakdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/icudtl.datdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/sk-SK/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/locales/locale-fil-ph.jsondUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/Teams.exedUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/ja.pakUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/api-ms-win-crt-locale-l1-1-0.dlldUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/en-US.pakUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/ca.pakUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/snapshot_blob.bindUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/api-ms-win-core-errorhandling-l1-1-0.dlldUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/assets/tlb/Uc.win32.tlbdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/tempfiles/sample.pakdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/locales/locale-zh-cn.jsondUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/nb-NO/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/v8_context_snapshot.bindUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/locales/locale-pseudo.jsonUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/nb-NO/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/msvcp140_2.dlldUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/Microsoft.Web.WebView2.WpfUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/locales/locale-en-au.jsonUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/cm.slimUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/api-ms-win-core-file-l1-2-0.dllUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/Teams.nuspecUpdate.exe, 00000005.00000002.3091408859.00000000036AC000.00000004.00000800.00020000.00000000.sdmp, Update.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/AddinInstaller.dlldUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/ro-RO/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/ro-RO/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/cm.slimdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/locales/locale-fi-fi.jsonUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/RTMPLTFM.dllUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/af.pakdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/assets/TeamsIconSet.dlldUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/vcruntime140.dllUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/tempfiles/sample.pngUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/tempfiles/sample.xmldUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/nl-NL/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/api-ms-win-core-file-l2-1-0.dllUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/lv-LV/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/tr-TR/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/assets/windows/TeamsLogo.contrast-white_scale-100.pngdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/de.pakUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/Squirrel.exedUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/api-ms-win-core-interlocked-l1-1-0.dlldUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/fa.pakUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/assets/Badge_7.pngUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/tempfiles/sample.asarUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/qm.slimUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/assets/msix/teams-app-icon-150.targetsize-150_altform-unUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/cs-CZ/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/libGLESv2.dllUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x86/OneAuth.dllUpdate.exe, 00000005.00000002.3091408859.0000000003684000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/api-ms-win-core-debug-l1-1-0.dllUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/m365-browser/build/ReleasUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/gu.pakUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/assets/20x20-available.pngUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/locales/locale-fr-fr.jsondUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/meeting-addin/1.0.24151.1/x64/es-MX/Microsoft.Teams.MeetUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/locales/ko.pakUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/api-ms-win-core-timezone-l1-1-0.dllUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/app.asar.unpacked/node_modules/slimcore/bin/sharing-indiUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/lib/net45/resources/assets/12x12-dnd.pngdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/tempfiles/sample.dlldUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/tempfiles/sample.txtdUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://defaultcontainer/tempfiles/sample.ftzUpdate.exe, 00000005.00000002.3091408859.0000000003567000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            52.113.194.132
            		unknownUnited States
            		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            20.42.73.30
            		unknownUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            2.16.164.105
            		unknownEuropean Union
            		20940AKAMAI-ASN1EUfalse
            52.178.17.2
            		unknownUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            52.182.143.215
            		unknownUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            20.42.65.88
            		unknownUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            2.16.164.27
            		unknownEuropean Union
            		20940AKAMAI-ASN1EUfalse
            64.95.10.243
            		unknownUnited States
            		31982BRAHMAN-NYUStrue
            52.182.143.210
            		unknownUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            149.248.79.62
            		unknownCanada
            		36445COEXTRO-01CAtrue
            52.168.112.67
            		unknownUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
            172.64.41.3
            		unknownUnited States
            		13335CLOUDFLARENETUSfalse
            104.208.16.95
            		unknownUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1459800
            Start date and time:2024-06-20 01:23:09 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 13m 36s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:19
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:TMSSetup.exe
            Detection:MAL
            Classification:mal68.troj.evad.winEXE@21/619@0/13
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:
            • Successful, ratio: 98%
            • Number of executed functions: 335
            • Number of non-executed functions: 107
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240000 for current running targets taking high CPU consumption

            Warnings

            • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
            • Report size getting too big, too many NtDeviceIoControlFile calls found.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.
            • Report size getting too big, too many NtSetInformationFile calls found.
            • Skipping network analysis since amount of network traffic is too extensive
            • VT rate limit hit for: TMSSetup.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            19:24:02API Interceptor129x Sleep call for process: rundll32.exe modified
            19:24:03API Interceptor2802483x Sleep call for process: Update.exe modified
            19:26:09API Interceptor107x Sleep call for process: Squirrel.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            52.113.194.132MSTeamsSetup_c_l_.exeGet hashmaliciousUnknownBrowse
              original.emlGet hashmaliciousHTMLPhisherBrowse
                original.emlGet hashmaliciousUnknownBrowse
                  https://onset2.onsetcomp.com/files/software/hoboware/3.7.28/HOBOware_Free_Setup.exeGet hashmaliciousUnknownBrowse
                    original (6).emlGet hashmaliciousHTMLPhisherBrowse
                      https://code.jquery.com/jquery-3.6.0.min.jsGet hashmaliciousUnknownBrowse
                        original (6).emlGet hashmaliciousHTMLPhisherBrowse
                          Remittance advice 1cd7c9aa45502278cf086fec80eac3c4.emlGet hashmaliciousHTMLPhisherBrowse
                            New Pay App#78846 From Cube Care.emlGet hashmaliciousUnknownBrowse
                              original.emlGet hashmaliciousHTMLPhisherBrowse
                                20.42.73.30phish_alert_iocp_v1.4.48 (16).emlGet hashmaliciousHTMLPhisherBrowse
                                  https://url.uk.m.mimecastprotect.com/s/NP8rC2xx9FAQq7nsn7CnD?domain=netorg5340145-my.sharepoint.comGet hashmaliciousHTMLPhisherBrowse
                                    https://url.us.m.mimecastprotect.com/s/kCCtC5yEz0tWp5ANrfz_KPV?domain=paplastics365-my.sharepoint.comGet hashmaliciousHTMLPhisherBrowse
                                      2.16.164.105MSTeamsSetup_c_l_.exeGet hashmaliciousUnknownBrowse
                                        52.178.17.2Firstontario_FAX_832.emlGet hashmaliciousHTMLPhisherBrowse
                                          PODIATRYASSOCIATES-OneDrive-file94077#.emlGet hashmaliciousHTMLPhisherBrowse
                                            POSTA CERTIFICATA RE R Oggetto R Wennovia SRL on-site training.msg.cynetGet hashmaliciousUnknownBrowse
                                              https://ecv.microsoft.com/ss9eL9LgBEGet hashmaliciousHTMLPhisherBrowse
                                                Alyssa M Juris Please Confirm Subscription.msgGet hashmaliciousUnknownBrowse
                                                  https://sini.la:443/wzrrzGet hashmaliciousHTMLPhisherBrowse
                                                    https://1drv.ms/o/s!AoCWiirawl1cgUyDq_YQaZgx0Qcb?e=KXF1RWGet hashmaliciousHTMLPhisher, SharepointPhisherBrowse
                                                      https://1drv.ms/b/s!Ag-bPMQV0UTbcQo0XST3R05gyJIGet hashmaliciousUnknownBrowse
                                                        https://betatransspa-my.sharepoint.com/:o:/g/personal/paola_laini_betatrans_it/Ej6D7QDb6IBKhn1Gz4cnM58B0Dx9FOltWQ_3sCGGVMVMNA?e=YiVTRhGet hashmaliciousHTMLPhisherBrowse
                                                          https://uoe-my.sharepoint.com/:o:/g/personal/s2151826_ed_ac_uk/EiPbnSU15bJOkC7l4WxhV6AByYfAdUA_gJQfZBOPJcLdUA?e=bXwVkRGet hashmaliciousHTMLPhisherBrowse
                                                            52.182.143.215FW Proof of Payment.msgGet hashmaliciousHTMLPhisherBrowse
                                                              phish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                                                                20.42.65.88https://phlynetophlyclaims.cloud/XRyiqvGet hashmaliciousHTMLPhisherBrowse
                                                                  tato tu_.msgGet hashmaliciousUnknownBrowse
                                                                    http://bs-nakagawa.com/PMxdv77xgwVSyGqqOWzi/bf5c0b42c4aa8a1c13d9113627555356/anJhZGtlQGdwYWxhYi5jb20=Get hashmaliciousUnknownBrowse
                                                                      Phish Alert EXTERNAL SUSPECTED SPAM Re RFQ for SMART 924.msgGet hashmaliciousDarkGate, MailPassViewBrowse
                                                                        [EXTERNAL] New file received.emlGet hashmaliciousHTMLPhisherBrowse
                                                                          Mini Takis 04.01.24 $11.99.xlsxGet hashmaliciousUnknownBrowse
                                                                            MHEDA-OneDrive-file72509#.emlGet hashmaliciousUnknownBrowse
                                                                              http://activation--Stanstedairport-Stanstedairport.oaoonasmeoaoaos.comGet hashmaliciousHTMLPhisher, ReCaptcha PhishBrowse
                                                                                I4i6z8T1j9j8N5349890049902.zipGet hashmaliciousUnknownBrowse
                                                                                  ETGU.xlsxGet hashmaliciousUnknownBrowse

                                                                                    Domains

                                                                                    No context

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUSMSTeamsSetup_c_l_.exeGet hashmaliciousUnknownBrowse
                                                                                    • 20.189.173.10
                                                                                    https://pub-23354ce60e01474fa600cbca2caadc73.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.60
                                                                                    https://www.baidu.com/link?url=pCe2VMeTMuhndrXyVPsQ3n6O16FCz5n7978FKvmnNu0JERaM9sHkayy_qDGQGjJmvDRCSeZR9vxMVY05bWTLma&wd=dGh1YmVyQG5vcnJpc2VsZWN0cmljLmNvbQ==&eqid=DeUTVqQWINmOgZSMotATfCvHOSfRhkjEiCzwbdpHhYTIdKCLWhGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 20.190.160.22
                                                                                    original.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 40.126.32.138
                                                                                    https://hr.economictimes.indiatimes.com/etl.php?url=//hr.economictimes.indiatimes.com/etl.php?url=https://coloartmoveis.com.br/hbjkjdhusdhjsd/yudfidlsdjskjdhjs/skjdjskkjsd/jdjhshjsjdhjsd/anRvcmtlbHNvbkBjY2ZpLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 40.126.32.74
                                                                                    https://netorg524872-my.sharepoint.com/:o:/g/personal/ccaine_mercatorxxi_com/Eo7wlq-N6exOv4iA0bDprkYBtMZ2isOeCx4jBBWaY8enPQ?e=5%3adpn2n8&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.107.136.10
                                                                                    https://www.pcna.com/en-ca/product/folding-moon-chair-400lb-capacity-1070-94Get hashmaliciousUnknownBrowse
                                                                                    • 20.83.33.82
                                                                                    https://youtube.comGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.107.42.14
                                                                                    https://afcurgentcare0-my.sharepoint.com/:o:/g/personal/cgilliam_afcurgentcare_com/Ehm-TFU9-6NDloR7iWxl3REBDn8pVyW9Li2QuLC_JASiJg?e=5:0bnihp&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 52.104.114.39
                                                                                    Copy of Stonhard_BulkImageRefFileTemplate (version 1).emlGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.253.45
                                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUSMSTeamsSetup_c_l_.exeGet hashmaliciousUnknownBrowse
                                                                                    • 20.189.173.10
                                                                                    https://pub-23354ce60e01474fa600cbca2caadc73.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.60
                                                                                    https://www.baidu.com/link?url=pCe2VMeTMuhndrXyVPsQ3n6O16FCz5n7978FKvmnNu0JERaM9sHkayy_qDGQGjJmvDRCSeZR9vxMVY05bWTLma&wd=dGh1YmVyQG5vcnJpc2VsZWN0cmljLmNvbQ==&eqid=DeUTVqQWINmOgZSMotATfCvHOSfRhkjEiCzwbdpHhYTIdKCLWhGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 20.190.160.22
                                                                                    original.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 40.126.32.138
                                                                                    https://hr.economictimes.indiatimes.com/etl.php?url=//hr.economictimes.indiatimes.com/etl.php?url=https://coloartmoveis.com.br/hbjkjdhusdhjsd/yudfidlsdjskjdhjs/skjdjskkjsd/jdjhshjsjdhjsd/anRvcmtlbHNvbkBjY2ZpLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 40.126.32.74
                                                                                    https://netorg524872-my.sharepoint.com/:o:/g/personal/ccaine_mercatorxxi_com/Eo7wlq-N6exOv4iA0bDprkYBtMZ2isOeCx4jBBWaY8enPQ?e=5%3adpn2n8&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.107.136.10
                                                                                    https://www.pcna.com/en-ca/product/folding-moon-chair-400lb-capacity-1070-94Get hashmaliciousUnknownBrowse
                                                                                    • 20.83.33.82
                                                                                    https://youtube.comGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.107.42.14
                                                                                    https://afcurgentcare0-my.sharepoint.com/:o:/g/personal/cgilliam_afcurgentcare_com/Ehm-TFU9-6NDloR7iWxl3REBDn8pVyW9Li2QuLC_JASiJg?e=5:0bnihp&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 52.104.114.39
                                                                                    Copy of Stonhard_BulkImageRefFileTemplate (version 1).emlGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.253.45
                                                                                    AKAMAI-ASN1EUMSTeamsSetup_c_l_.exeGet hashmaliciousUnknownBrowse
                                                                                    • 2.16.164.105
                                                                                    original.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 2.16.164.83
                                                                                    https://youtube.comGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 172.233.128.220
                                                                                    ELECTRONIC RECEIPT_bpost.be.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 23.43.60.225
                                                                                    SecuriteInfo.com.Exploit.ShellCode.69.9963.10369.rtfGet hashmaliciousRemcosBrowse
                                                                                    • 172.235.39.109
                                                                                    https://peritiapartners-my.sharepoint.com/:w:/p/suzie_gragg/EXk3P0Z7Bk5Kq22jVu-9OpIBkQUCMcCPBJK_92JTtq2RaA?e=reITRKGet hashmaliciousUnknownBrowse
                                                                                    • 23.43.61.160
                                                                                    https://u44668105.ct.sendgrid.net/ls/click?upn=u001.BTMESiTo6NsF48uIW4-2BrJkEc2YVFzyAaMWnWwgGT9cZqZS45ZZqu4Y-2FXJmZd8BXA8cja_AHV3UK6XjfrXMiZ9J4igW-2FDEUbICycoJ744IkX0PR6FoPBD5ixGfLkyQ9ofRFx1gjy-2BP-2BDUWqu7bhyffh6xflqZsbtNZtMLnpgQoCGrYBrKDAQCrs-2BXh7tVhTtmxcULJOM-2BKcO31hWTdcLyh6xHaFmrsv6JFsx6tjkxHhVyYzmDL2WjDZWPIbWyOCKFNxt29pnc1D6Wos9by2AU7AhdVB3KlHpWThOWm6-2FAP-2Buqng4Vq-2BmwndZ6wQGKVc-2FG51viAW-2FpPzuJOGK4hC-2FF-2FfgyonvDWvDkNa4J3BejflmN-2BuGCUZSHoW4H7oETlKRzn4f7VwMbU0WFOF9ZUfOI6CISxhvZQTsnMYzitMow1nPeu-2Flg0-2FzAaZA27HnZ5WdxtR2wKofgxyBDPpPjMUDCXBmEfEWtT8NXGmNaNpBvJDLI13EkOwRxoG67u0CqbvxxYYK-2F5eu2B-2Bg9JTJRxFbICA7lEJgDZLYhBS-2BbGjIrrRDvHg0hAvMhBJ54TVAoWNvYZYG-2FCqbCuzJrUBI0DoaRAGLq44smm73hnjeG06IT3WQV3A8KkhlXB3fqBFue-2Fd4ydFypfr1PkBzxIk-2FPd1H2pJdMYF-2B7HONDoFax8K-2BBkvfgdiIY-3DGet hashmaliciousUnknownBrowse
                                                                                    • 104.115.82.10
                                                                                    https://sc.link/IaWWdGet hashmaliciousUnknownBrowse
                                                                                    • 95.101.149.47
                                                                                    https://u.to/3IG9IAGet hashmaliciousUnknownBrowse
                                                                                    • 95.101.149.47
                                                                                    https://smbcontract-my.sharepoint.com/:o:/p/shannon/EugDsMyyY6ZGu7GvKYh9_WEBAhkE0eSu6HHwrfB30WmIpw?e=5%3ahhWGVd&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 2.22.242.16
                                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUSMSTeamsSetup_c_l_.exeGet hashmaliciousUnknownBrowse
                                                                                    • 20.189.173.10
                                                                                    https://pub-23354ce60e01474fa600cbca2caadc73.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.60
                                                                                    https://www.baidu.com/link?url=pCe2VMeTMuhndrXyVPsQ3n6O16FCz5n7978FKvmnNu0JERaM9sHkayy_qDGQGjJmvDRCSeZR9vxMVY05bWTLma&wd=dGh1YmVyQG5vcnJpc2VsZWN0cmljLmNvbQ==&eqid=DeUTVqQWINmOgZSMotATfCvHOSfRhkjEiCzwbdpHhYTIdKCLWhGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 20.190.160.22
                                                                                    original.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 40.126.32.138
                                                                                    https://hr.economictimes.indiatimes.com/etl.php?url=//hr.economictimes.indiatimes.com/etl.php?url=https://coloartmoveis.com.br/hbjkjdhusdhjsd/yudfidlsdjskjdhjs/skjdjskkjsd/jdjhshjsjdhjsd/anRvcmtlbHNvbkBjY2ZpLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 40.126.32.74
                                                                                    https://netorg524872-my.sharepoint.com/:o:/g/personal/ccaine_mercatorxxi_com/Eo7wlq-N6exOv4iA0bDprkYBtMZ2isOeCx4jBBWaY8enPQ?e=5%3adpn2n8&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.107.136.10
                                                                                    https://www.pcna.com/en-ca/product/folding-moon-chair-400lb-capacity-1070-94Get hashmaliciousUnknownBrowse
                                                                                    • 20.83.33.82
                                                                                    https://youtube.comGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.107.42.14
                                                                                    https://afcurgentcare0-my.sharepoint.com/:o:/g/personal/cgilliam_afcurgentcare_com/Ehm-TFU9-6NDloR7iWxl3REBDn8pVyW9Li2QuLC_JASiJg?e=5:0bnihp&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 52.104.114.39
                                                                                    Copy of Stonhard_BulkImageRefFileTemplate (version 1).emlGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.253.45
                                                                                    MICROSOFT-CORP-MSN-AS-BLOCKUSMSTeamsSetup_c_l_.exeGet hashmaliciousUnknownBrowse
                                                                                    • 20.189.173.10
                                                                                    https://pub-23354ce60e01474fa600cbca2caadc73.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.246.60
                                                                                    https://www.baidu.com/link?url=pCe2VMeTMuhndrXyVPsQ3n6O16FCz5n7978FKvmnNu0JERaM9sHkayy_qDGQGjJmvDRCSeZR9vxMVY05bWTLma&wd=dGh1YmVyQG5vcnJpc2VsZWN0cmljLmNvbQ==&eqid=DeUTVqQWINmOgZSMotATfCvHOSfRhkjEiCzwbdpHhYTIdKCLWhGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 20.190.160.22
                                                                                    original.emlGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 40.126.32.138
                                                                                    https://hr.economictimes.indiatimes.com/etl.php?url=//hr.economictimes.indiatimes.com/etl.php?url=https://coloartmoveis.com.br/hbjkjdhusdhjsd/yudfidlsdjskjdhjs/skjdjskkjsd/jdjhshjsjdhjsd/anRvcmtlbHNvbkBjY2ZpLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 40.126.32.74
                                                                                    https://netorg524872-my.sharepoint.com/:o:/g/personal/ccaine_mercatorxxi_com/Eo7wlq-N6exOv4iA0bDprkYBtMZ2isOeCx4jBBWaY8enPQ?e=5%3adpn2n8&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.107.136.10
                                                                                    https://www.pcna.com/en-ca/product/folding-moon-chair-400lb-capacity-1070-94Get hashmaliciousUnknownBrowse
                                                                                    • 20.83.33.82
                                                                                    https://youtube.comGet hashmaliciousHTMLPhisherBrowse
                                                                                    • 13.107.42.14
                                                                                    https://afcurgentcare0-my.sharepoint.com/:o:/g/personal/cgilliam_afcurgentcare_com/Ehm-TFU9-6NDloR7iWxl3REBDn8pVyW9Li2QuLC_JASiJg?e=5:0bnihp&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                    • 52.104.114.39
                                                                                    Copy of Stonhard_BulkImageRefFileTemplate (version 1).emlGet hashmaliciousUnknownBrowse
                                                                                    • 13.107.253.45

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.Logging.dllMSTeamsSetup_c_l_.exeGet hashmaliciousUnknownBrowse
                                                                                      C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\AddinInstaller.dllMSTeamsSetup_c_l_.exeGet hashmaliciousUnknownBrowse
                                                                                        C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.JsonWebTokens.dllMSTeamsSetup_c_l_.exeGet hashmaliciousUnknownBrowse
                                                                                          C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Applications.Telemetry.Windows.dllMSTeamsSetup_c_l_.exeGet hashmaliciousUnknownBrowse

                                                                                            Created / dropped Files

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Squirrel.exe.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):2420
                                                                                            Entropy (8bit):5.348263469623871
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:MxHKlYHKh3oTH/xHgJHreylEHMHKoHHitHo6hAHKze/HvHA:iqlYqh3oTfx0aymsqaCtI6eqzuPg
                                                                                            MD5:A77B203DA07012C97A819DDD42609F42
                                                                                            SHA1:514300571A52B508BEA85AF31E62D975EC090D1B
                                                                                            SHA-256:2728DC08E1A592D6B13C74CB177D2E133A7523E48C129D4FA7261AE8EA53FFE4
                                                                                            SHA-512:AFECF33580B6FD0F93749C7C32CC08657BAD14E217059DD4464D77CE8B91D9C7216BA66BFE6B55037B00219F67D5E4C0B7C517182D530B131BB50F3186316378
                                                                                            Malicious:false
                                                                                            Reputation:moderate, very likely benign file
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime\32bcd6ad56338e82b2e9ecba5600bdb4\System.Runtime.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f

                                                                                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Update.exe.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):3586
                                                                                            Entropy (8bit):5.365060918503364
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:iqlYqh3oTfx0aymsqaCtI6eqzuPOGqzyRW3jlqcEGwD:iqlYqh3Mfx0atsqaCtI6eqzuPOGqzyRV
                                                                                            MD5:85FB6A4800E27CA168CEA36B58BDE6D0
                                                                                            SHA1:F3BB95CFEB500206898544C19C4D4F508AF4C2AC
                                                                                            SHA-256:EC8C86031D452B75FDC110E27493B17044231281CAE96341BC2564D07C0E540A
                                                                                            SHA-512:A09E369F354BA88821681D9658761EFC7B723092FA21625EC78634CC1E7574CE0514A66800A0E7E4990FBCF2E77DD1F235F96CD58B65792CCD4CE52D87FE8055
                                                                                            Malicious:false
                                                                                            Reputation:low
                                                                                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Runtime\32bcd6ad56338e82b2e9ecba5600bdb4\System.Runtime.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\AddinInstaller.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):33864
                                                                                            Entropy (8bit):6.6749170427672215
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:bgYy+J05SY3wauWD5Epw9z9gElzEpw9zT:FMcYgauA5Ep4z9ZzEp4zT
                                                                                            MD5:7F17A972A3F083FC309E93C9ADA8AA10
                                                                                            SHA1:0072330558FB6E91FE6801DE71ACF06A716BBA5C
                                                                                            SHA-256:98B6CD35884C8AE37F33196A132D0029100C0BA8AD2EE0C084A4870CFA832214
                                                                                            SHA-512:D2B924E1BCD5EB260B17CB58E527E87D6FA9E772088F95DF6369599D7C4FFA3866F83D35F6AB333667C129FA8AE9CEE781A46FE8781B37906A60AFC301EC48CA
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: MSTeamsSetup_c_l_.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....q..........." ..0..............L... ...`....... ...............................6....`..................................L..O....`...............6..HN...........K..8............................................ ............... ..H............text....,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................L......H.......\)..."...........................................................0..y........(......(.....(......(....-..(....&.(....(....,C.(....s....o.... .. .j1+.(....r...p(......(....,..(.....(.....(......&..*...........ou........{....*"..}....*....0..D........(.....s.....(.......r...p(....r?..p.(.......o.......,..o ......&..*........'4..........@@.......0..^..........&...%..\.%../.}.....(!....(.....s"...%rC..p.o#...%rI..p.o#...}.....(.......s....}......&..*........E..Z.......0..

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Assets\NewMeeting_Large_120.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1016
                                                                                            Entropy (8bit):7.73830447681088
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:+5DjKVMPFXHX5S4wKHWKWZGmy/xRftEircOiO8UN7O3:+5i8HplNRmKtFPPo
                                                                                            MD5:E3B1BA3900BFFAE493B4463F9A6FBC48
                                                                                            SHA1:0BDDCAB7F9537F01900CB7A7AB0FBB1042E460E7
                                                                                            SHA-256:8FDE3D7378D0E9148068C3A9406D5BD754E93C9810FF5D2B8535FC2B65E0830E
                                                                                            SHA-512:8CA0A6304BD871B1F2BECCF6AF9CBB2EC97D05B233B9388CFC760B262509B8BF6F9B50B837D21018FCA6E8627FA11AE67F6AF49440A837701B4C9AE920585246
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...(...(........m....sRGB.........IDATX..W[h.A..w.5..4.-..PA....(*>@k.|..._.OA.k1.X........-..a.(..?.)...........hv.w..fw.... .Xf.>..s...@......z.........*..;%I:.9V.....B.>.;.$.@d.C@.%...W4.K.......).#.....I..u.Fr........8.8....z...UQ......$Y..R.n..#....L.9{.&M.h.6...P"zUQ...a....:.D..Nr.[.u...L.>....K."..'..t/..Yz....--...M.]...e..0.l....!.r./)r.].t..U!.l&...;....i.,I.TD.H......).S...D..P...sV4!.......K.r.|...... ....Q^.5P.VI...`'.........`...S.Z......?............`......9*....g..[.i..Z.\:#.T......2t).b.........Y..<.T...u.`...... \..nL.f.....3A....'7..zD*i-....r].k/Hfk....b:......@.k...,D.k...#.j..Z....@<...}2.a:$...Q.vL..u...o.Z..|I.r?.o.;..".8..{~'.l..fG3...x...W...%V.....h...!.;...gA.$.?F.w..Y...1!..yu.].....fW..>..w..).55b....D7..}.?...._...=.....".+..N.\Z.mup..p..d\y...r+........:..G.Q.S....>..9..[.L.@|.:..qMP8E.B......R7;....Pk..F.......s...N..F@.B.G...0...e.:....T....d_....i:.........5....].sa^.@!..#....'.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Assets\NewMeeting_Large_144.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1237
                                                                                            Entropy (8bit):7.788008184019191
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:GVwVpPtyAjoNiCkbbtwi0G1UA9WdK+oJgsQ6QVdAmwQATjZWwrpFbVD3r:E6FjowPv70tB/oJgl6Q8mXAT1XLr
                                                                                            MD5:6974CFC337BF190D728C6824EF94AFB6
                                                                                            SHA1:741DABA13F01C19518E2E1E72A93DF2C96227934
                                                                                            SHA-256:115340C0940669C7A55670F03737492FB86D5E34E0390E5664EEA3F9B4147B0C
                                                                                            SHA-512:679AFA5D417748680624314A6E5FF63CBF37D11BF5E95FD2D2114076F1DCD75196849EB39B1D456A8A5DB0019EF2C4C2FD61EA70651DAF158B87A69D8B017FAF
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...0...0.....W.......sRGB.........IDATh..YOlTE..f.n....Hl].' ..(.1.......$...&....4.&..=.@..A{C...`0.....$.@cz......m....7~....7......%....}...o...H.$.Ow..r..9'.CS...G.{.j...@F..3_.Bx\vc.`xx....g0..&'...m...\...(F...$/2...+.[..%y.(.A......sZ..Z...._.2..V......."[...SB.Y}....%eUV..@...V......G...8.Q....3..}...+.Rq...`]...\.U..yL.V.<.Z.{.1..5P/".&H...5.....D..x.:..m.b.....l..Gl..S.y....."...k.....cX{i.p..pFHtV.8..)....Y...,;U....O,XQ.*.....,.Z.Eq.V7....B.0..b.......Bs.....Z.........}..wp....E......U.......F..........av.#.!.../.......b..rG....E...ZV..W..]w...\..~.q.f.#...K(.2..bU/.L/.b..7?.....6Cg.y.{.R.......9.O..n..H....tYb....ZR.<.t)-c..t..... ..x../....;..D..k..D.....`.J3.d...m..d.LYi&..@3.-l......z.pE.T..Z.u..R..."P.(T......7.%.... ...9.%.....O..p..5..bQ.F..o.u.o.2.B.....l/...1.8-..e....B......|P.E....vZZ;.Pj...b)..z..r3..s~../B..k6}Z+.."V..[.......T.D.jA*U.n1.%f3:.Y..s.{..*..`I.$.....w..T.H...?..:X..OQ...b.N...

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Assets\NewMeeting_Large_192.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1555
                                                                                            Entropy (8bit):7.805621612269991
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:xyPSt6BuLqrVii+xXSCLqmgDvjUEAkgoX1Amyz/zaY6pGtqPgmeAkG0ZZz:cPSt6G2iimqm+6kgDl/t6iEfGz
                                                                                            MD5:177094A528723CEF49FA2FFDFAB57CF5
                                                                                            SHA1:CBAE150EDCD83F2E9BB87A0BB86CF076EEBC41C2
                                                                                            SHA-256:66CD5E3CFC69AF5087D33C570CFE424B50935B01C27E618CA11822AC7AE6D1E6
                                                                                            SHA-512:AD9394116D2E132EB2BFF48F1AE4AB7AEC5B372FFD2B7B41E29CD8BF26C87725BB48D0C3AD85F7C3C94B4556872A06876D1E95F4AD8A0CF63DD949DBE350D8E8
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...@...@......iq.....sRGB.........IDATx..Z]L.U.>..,.. .[)6<..b41.`..4M.>h..........&.H.l.Y_L..6..&ZiS./.'1....X...F)....dw.z.....30..:7......9.g..@.........n_..V.........]...9F9.?..2C6...u*.h.#.....?..19...U&....P.@_.R.#FY..&....P2~.....~..J..(../...I .y..Q.R3....Q.y....a...8)cwv^.-...?..6s....|....'Z.e:.4_..w....).Uz./\..........pG......N<...1.;..X.XO...a.../.OS.._.).... ..e...dz...*.....\././...u^..-Q.'..R..D.l...._1.5..G. ...t=,a..Bbz.+$J.BNB...V.&7.3....&,..Y..u..0w....}.......v?wv....TF-vN..&&f,..\.#5.....6=..p....y{3...m1....X.(.-VjqO..S..u.x...e..,......3p..."..`..@..0U.d.Le.,......|.....A.d.f>.......m.....{..T L......kD>.....K.....4Qv....J=...o;[...4d. .....O.S_...I.y..*...Q.\..><.....8......r.T.?3.eK.......b..~.@9.....ll......Pkyh...n,m..o.\..&.ai)YJ>E.......I......rWG.tu..ftl.^..R...O.Euu%.....&&K.......Hp.Lx.......*K....cE.,a..`.1....i.h*.5..*!.......7......u.OP.n.[o.A...;.6....".&..o..v.4(34tj......U...C...u...S.N....H.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Assets\NewMeeting_Large_96.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):821
                                                                                            Entropy (8bit):7.630755600269692
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:L9IW0j2BjoUb25MCbt+OzOGKynRHS/0psG7:LaW0l2Ut+ONRy8+G7
                                                                                            MD5:FAFBA571265B20E0EC4423FEAD972E1B
                                                                                            SHA1:B686D74FF48E3B990F0E312BB0F3AF4E8F53069A
                                                                                            SHA-256:1FB3B4832E92B1E2F998CD2FF4A872000822CBB897D869194195E5C4F8D43CD0
                                                                                            SHA-512:D0523CCC27436A80C5A14094AD244349EFE68FB5A813F97539C3025FCC1F05D6CEC9B8FFD04883E35BCD787A36901246687162B4B86717E81E747B2CF035DD2D
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB.........IDATX..VMh.A....i..$-j...C..M...`.T..A..,6.VYj.T..(....=.^...E.....b...4i$.I.....n....<5......y.fv....ZM.z7..Z..QB...t.V..cj"...gK...e........YI.>?$.V.^......ZF...av..cn....Vi.]P.(..).v..Y.P..s....D./n&YpJ..iG....8.Z:..._.......................~3.......Y\.T...H.J......n....c.p...x.n:....i>....i......i.GvLd....SRx5?.....3G...3...i....th.5...._..CGy.....R..q.I.>....\.e>x...#......v...L6OV....uR&.....o.#...y6...c...r,..#...B(..e:.K.6..:.r....+./....g..@..!....N.....=.H....#.....j.K..F.&6Zk..."......d....].Vl...IG.......:...]w$p.+...4.......k.j...$.ja}..x...(%.x.9|..a.d._0sy..>oL.....%<.0.C.....;..(.!tpb"...N.R.Nj..?.."...RH.......8.Gb.P.i..y.L..OMv.Q.o;....[.sQ$A.8}3..cn.!wn.N}..m..#x.'......jV...T.G.?[..3.)......X........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Assets\NewMeeting_Small_120.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):574
                                                                                            Entropy (8bit):7.347738166641519
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7iHKcqzpeXnDvyEqCcmpZndaYcfyYCta8eq0NRFWBOfmcN274Gl2E7:6cqFeXDvyEqEpZdaYcStx0LFgOfzkUD+
                                                                                            MD5:503E86E4628933D17B5B41B4918D6C9F
                                                                                            SHA1:F884F45CF4EF5B435E554EA30F654F076E50BDF5
                                                                                            SHA-256:1C80CC98643E1D060B9443C98E9AFE663125398F7BB99E5BAB2C0EB952C9C111
                                                                                            SHA-512:22D115A09597F7A8CB0C5BCD0E0BBA55798D3A431B28EC27E9DDAA356BF0AF674BDB78E6D9A3911E2750354D42A8AD628EBD0A7716410360F6D1160258E12C98
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.....................sRGB.........IDAT8.c`.....:.....o........'XX...*.....K.&.2.....`>........}....Y ...Li...n.......K....103.1pq..u.].. ...g........`..C.^.*......w...~20...k..4.....d>....0.Bv...~.....>P...A.dddx.. 6L-8R......lY.....>!{..k]8.._@.V.W..@1.&.2.f.L...S..f..L.`...'...Oa.@....f../#.....d........G...F!..c.U..-%..q!#.5d].V.G.2.........$....k....Y.....=V.8......8S....#J....e I.YOQ..)0.(.L`..`db.q............4|.(.s.H...,....Y+a&..r...D:aecm...&..q....Q{..[#.+.a.a4..]b.B.`|d.g...c..j-..L..@|../@'...........".D36.@J.........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Assets\NewMeeting_Small_144.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):627
                                                                                            Entropy (8bit):7.55832772949955
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/76fR8ZKPil+HE3xZKPwUonTJibKpwwCzc8oRNn/Dna+z:7R/PUsE3xZ/zsbKpcI3Dna+z
                                                                                            MD5:75713D844925AC3404D59C5D56DD996A
                                                                                            SHA1:88F0F5B5450772A85FD61FB5FD54C3A6F7E48585
                                                                                            SHA-256:D4746496079E9C334715958852FA8FB59E54DBDEAD19D83001FA15C1793D27B2
                                                                                            SHA-512:B60E132BD5251084B2C7A22591D72DFDFEBB7A24987ADB8E78CA345694F6043C1F3C7A9205B6052CF3846FCF33179506BFF88C1D1BC8093A7563CF150EC5D30A
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR..............w=.....sRGB........-IDATH..TAKTQ.>.7.o&.Y.e...ZhJ..\..-.6AK.@...b.+.h+.. .].m.pg.m.. "....7.x...;...6E.....|.|........&.@..../.....A.[..}...p.Y..Y....j(i_c<)...X \.nq)......OO#.........I,......-.....].4..d.!.....,..Q...vu.-PP.........|.Q^t..@.^..dQe....^/y..'....mA....o.h.....t...x.........A..?q...>....<..#g...S .\..kko.\....l.).L.L.7.l..!KwbP.?" ...?,.w.q-....y.".|.O....Y.4..^J....sC..Z.;~..R....8)H..p.....L!.......[^k.+.u..w.4(.1.Z..q..G.AM..{.gj..L.b.\...\.m~..N.<.f..........Y...K0J..E..^.....D)?..c,.../].p2..1.2.D_u.s.x}...?TL.?~..;P..(.......IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Assets\NewMeeting_Small_192.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):875
                                                                                            Entropy (8bit):7.664401472706693
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:MnF5WncYHQTt0feBgmzpRjRqgnoEmDDxM4xr8LTdIDg5X:MFAncIQhee+mdlRlTmW9uDg5X
                                                                                            MD5:F323D73771349B6374462B8A4B708D83
                                                                                            SHA1:39F8860AEC7AC9FF8DF80C770A23F3AC8C3BE4A1
                                                                                            SHA-256:EA0327CD2D987CF069747F70A317E552C0304170177101AA578F04D2EBE9FFB6
                                                                                            SHA-512:5377FD3886FCDEF87B61F1CC825655E6B977E370563B2C2F7B3BB675B8ADCCE621A47F056945A9C0A41F9C10BF4DF6694167E62A310B146587F898D39E753EB2
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB........%IDATX..VKh.A..I6O.H..$....../Q."....z..*.x. ..."X..`OR,.C..Y.h=."^....Q.U...ib.;..ufg..d7.P.......?.L...p....Lt...-.P/...^I..X4.X..........A./&..'%'.k.....,..\......l.j'Y1f...L.....~p.?n^..N+6xF..^}...3...`..(MN..Q.H.0*^`XCG.^[z......X..0r..\E.n(..@..b..#....._....\..=.,...#.7.....t.x......I.$..-..W1F..o..Q....x...P)......S!......v...zd......+...#...O.....Q.........!..2...$....p.X....g.5....e.o"..V..yQ..I.a<9?..|.t...Z..O..Bv............Z.........r...W#...-.`.(.0.Alkp...7a-..../....Mt`.g.......4.].5.z.X.Z...gz....R.S......-.1.w`a.......<........"..E.4|.X..T...no.M0./..F..k.P.uW.].f$9.pY&......Un..N.3|.......`.....2..e....C......r...g.Oj...t..`..s...PE.].v.,..S.J...P@u..q........[G..0..0...9..Z2].u...|......Ru.......}...6...W&z.4.S..0\..K....n.@a.Z....(..9.........3._.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Assets\NewMeeting_Small_96.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):483
                                                                                            Entropy (8bit):7.310129121242215
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/78zmIphkxF+oabzkBMDRbuyP+3uvNg9e8lJD+SF330YN:46m0hRl+3q+nD+SiK
                                                                                            MD5:A2761DE768472D09D1E02C92EBD144B5
                                                                                            SHA1:60BA18F0FF47B9E9C3E23B5AE9E95E3D319B5C5D
                                                                                            SHA-256:AC7FE3232888BF96C520D586C723149CD3127E1CE7CC65BC35BA1984CC27BBCA
                                                                                            SHA-512:F330DB55B79E561D2DAC1CD051421F91D6981A489A004EB0EAE3AE090B1386DDF46EFB675A9B6F75A0BB83F741B5DA12E4DFB872EE41782773BFAEC9014CA667
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR................a....sRGB.........IDAT8.c`..0..?i.......e....?#.Nq>..<...Y..`.W...00.......?..........;.jX.=6,4....N.|~....._...K1.....A...l....>.{..m....2........;?...<.......\a./.tA.H.?... .l..f.......s....p...V.KB.x.D.)2D.)....l.}........`.....u.!...7,7....H.O.^.B....?..`.D..2...C..e$..:...7...B.`d`..R..D`0?.....~G1.?....KFF...L.. I.(.+6..z...).....d......5.h..q.+.2..,( ,W%-c.....Y\R."........Y..... ...7.@..?..-....JkZj.w.....e.........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Applications.Telemetry.Windows.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):3097696
                                                                                            Entropy (8bit):6.376562383850651
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:RSYwMLWjLsGKN44mG3uTMnnl5S6niJO+L2U1W1N1TfEoqeoR:QwxNN45G+TMnlXNq/
                                                                                            MD5:65EE46B3B363F0673FD6381DE42E69D8
                                                                                            SHA1:515FC59976C50C95E99ACB0C046BDA605BE4C130
                                                                                            SHA-256:049A56425A4685160A94DE4560AA514F3F575D62D99CB0B10BE2C23F10E9D377
                                                                                            SHA-512:C7A115E277C9823E64F665FD255C7257B387AD29A51D51A3BD75F76D77DE32230928A157A5FBA211B0D8ECF8F66E317FD5F84FC18F43C6116CC5925366B6F539
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: MSTeamsSetup_c_l_.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$.|.E./.E./.E./..I/.E./.-...E./.-...E./.-...E./.-...E./.=Y/.E./.=I/.E./.E./4D./8,...E./8,...E./8,...E./8,%/.E./.EM/.E./8,...E./Rich.E./................PE..d....6=\.........." .....L..................................................../......./...`.........................................`I,..P....,......P/.......-.h.......`N...`/.p.....$.8....................!).(...`.$..............p.......G,.`.....$.H............text....H.......J.................. ..`.nep.........`.......N.............. ..`.rdata..8m...p...n...P..............@..@.data.........,..\....,.............@....pdata..h.....-.......-.............@..@.rsrc........P/.....................@..@.reloc..p....`/.. ..................@..B................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.JsonWebTokens.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):78408
                                                                                            Entropy (8bit):6.129481246167649
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:nm6516C0z6v8JyJNPk2DuttJ6gDEkeLGzewZGLzw00f:nmqEC0zhyJNPktDXiGyRv0f
                                                                                            MD5:EEA13258A8B7DE541A74D2912769F2A7
                                                                                            SHA1:542082376A88F30ACAE47D71737A043A05334B1A
                                                                                            SHA-256:E4FA6AC046B919137158954B182A647129990B70399C9894CE6918F0FA893262
                                                                                            SHA-512:A8E7A6F7476867199D2E499ED09F11742593B398FAC4B4F3CA9C2D3496AB2A1B80A5E439F4444342D0A30BB3C74FB1A616E508DD05BBAAF6E54681F5F56BF8A9
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: MSTeamsSetup_c_l_.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{............" ..0.................. ........... .......................@......D.....`.................................Q...O.......................HN... ......T...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........[...............................................................0..v........s....}.....s....}.....(.....(....,.r...ps....z...@...%.....o.......i.....i.3....(,...*r#..p......%...(....s....(....z...0...........s....}.....s....}.....(.....(....,.rd..p(....z.(....,.rr..p(....z...(....(.....!.r...p......%...(.....s....(....z...(....(.....!.r...p......%...(.....s....(....z*.......C..Q.!......s....!....j.(....r...po...+%-.&~....*j.(....r...po...+%-.&~....*...0..F........(..

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.Logging.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):41032
                                                                                            Entropy (8bit):6.710594759580758
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:vS0Nb06pBrs9OoJu8Gw1OQaXV9zPgEllVXC4dC9zVj6N:vnb0NO217GnzPZ/C4dezF6N
                                                                                            MD5:E6F3F341BAEB31F4196C3085FB34F767
                                                                                            SHA1:D78EBC71D36B06E0DA7FA41E6D7888FCC71042B6
                                                                                            SHA-256:4BE875B73CD50A95A1480FD3330222C278903DCFA9EE73263198D860827EA9AF
                                                                                            SHA-512:A38A81B096D215E04947BDD2E7D1532E676C8E84DD9CD598D98EE5EBF5C1197CF1AC690F28DA0EAB3DC1CA42CE0CD9F1EAA0901E7CD55C1ECA927D86E880C365
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Joe Sandbox View:
                                                                                            • Filename: MSTeamsSetup_c_l_.exe, Detection: malicious, Browse
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[c............" ..0..H...........g... ........... ....................................`..................................g..O....... ............R..HN...........f..T............................................ ............... ..H............text....G... ...H.................. ..`.rsrc... ............J..............@..@.reloc...............P..............@..B.................g......H........,..x9...................f.......................................0..I.............r...p...........r...p.....r...p.....r...p.....r7..p.....s.........*:.(......(....*.~....*.~....*.......*.~....*.~....*.......*~.(....,...(...+(.........(....*..(....,..,....(8...(....*..(....*..(....,..(.....2...(...+(.........(....*..(....,!.(.....2..,....(8...(....*..(....*..(....,..(.....2...(...+(.........(....*..(....,!.(.....2..,....(8...(....*..(....*..(....,..(.....2...(...+(....

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.IdentityModel.Tokens.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):937544
                                                                                            Entropy (8bit):5.838809981110096
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:uMt+vIZDreuKQvgXyexT4Yn2sxGwmBgjoIb:jVbgXyeV46xGjBgj1
                                                                                            MD5:528D783F83C540EFC5F138D21E8C1696
                                                                                            SHA1:64F87F45719CA06143AA6328A52E6A96285DA63A
                                                                                            SHA-256:CE06CDE2B771E6E215CA9A10F8739A23AB2990A53C32301E42838D40E8E355F3
                                                                                            SHA-512:ED2562BE767103C2FD7179B0F632A2250F8EF97950341C6D0FE6AC8BA347499682CF7201289169855F313D47833F863FCC110B54864A8BBABF046FFD8B5902CF
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........." ..0.................. ... ....... .......................`............`.....................................O.... ..................HN...@..........T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........0..X...................T........................................(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{.....3...{.......(....,...{....*..{........-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+%.{.....3..{.....o....,..{....*.{......-....(....*.0..H.........{...._....{......s

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):248904
                                                                                            Entropy (8bit):6.150746670116204
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:Le3vee9g5nwddPS764sTCYfMLG/Hb25jiV9MPsJvgk+TB:E9GGd676469Ma/RVKPsJYkA
                                                                                            MD5:96E9C38D030B3ECB4E674227F2214272
                                                                                            SHA1:8D6BFF68B89630C7DBCE8A5120110816BCD2B881
                                                                                            SHA-256:170B6F45031B97C665AAF19B4A85E1DCE035243A0972CADFFD855B11E15C9F2F
                                                                                            SHA-512:773C8E286ECC0AC57F14C6F46FB58327DE21F04FBC7B3977270D0A7770E0CEB9E0D4B60A79D1DA82E7D1F4FDD40AF9281CFBE78B27C180BD7B57C2F29E99B7C0
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........S.^.=.^.=.^.=.W...V.=...9.Y.=...<.X.=...8.}.=...>.Z.=...>.\.=...9.[.=...<.P.=.@...].=.^.<...=...9._.=...8.V.=...=._.=...._.=.^._.=...?._.=.Rich^.=.........PE..d.....Xf.........." ................P...............................................>n....`A....................................................@....@..pj... .......~..HN..............T.......................(...p...8............................................text............................... ..`.rdata..b...........................@..@.data...............................@....pdata....... ......................@..@.rsrc...pj...@...l..................@..@.reloc...............r..............@..B................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AuthLib.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):40008
                                                                                            Entropy (8bit):6.683761370543717
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:3nom7dmnAf1LHF51ap+v/7pK+4nCLEpw9zUzgEl3H7Re9zno:39Rhaps7pnq2Ep4zAZXFazno
                                                                                            MD5:8B49A5EDDC4FD8D66224C96F90637305
                                                                                            SHA1:683B198B685AF5329EC6EC1171266AC84D3B7ABB
                                                                                            SHA-256:04C9F32B9FAD48DF69E9675B30554712AC87659ED9B4AE29FC04007DFFF0092E
                                                                                            SHA-512:C55A44341A8B748C5F7092C397D494B2A98922AB2C2B7CBC994640F6663647640FBA4E7BF33C5B4E01F4951BAC9BE68A764309D3C83BF49F247AB563A59776AB
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...f.Xf.........." ..0..H............... ........... ....................................`...@......@............... ...............................................N..HN...........e............................................................... ..H............text...<F... ...H.................. ..`.rsrc................J..............@..@........................................H........-..t7............................................................{....*"..}....*..{....*"..}....*V.(......(......(....*~.(.....s....}.....~......}....*.0..+..........{....~....(....,....{....(.......(.....*.........##.......~....*..0..........~.....r...po....~......!...%.r...p.%...%.r-..p.%...%.rE..p.%...(....r...po.......{....~....(....9.....{..........(.......{....~....(....,r(....o....(....rc..p(....(....&.....(......~....(....,+....}.......(....&..@.(....&. .....(....&..

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.Diagnostics.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):32840
                                                                                            Entropy (8bit):6.85712169528054
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:z5BNiiCAlw5LfyacHbZTowwWYsQWSW/7R9zkV+Hh5yEFHRN7GNQSR9z+zCu:zrFo5xwlvfF9z6EhgElG6e9z0Cu
                                                                                            MD5:D24A006BCE2DB1A2F0463714BDA1758F
                                                                                            SHA1:1DBDAF547C164430F8A1E59F4DF6D95E7A31F001
                                                                                            SHA-256:5A2FE2BC4E619066404BAE87FD7D9A449054977D64F7D3825A8A63254070A07D
                                                                                            SHA-512:9AFCA008708C0E389DD7443C8A10F651D1216D4B7134122B96645F73645CD7317C6266B7D30F586C253D87083973AFB006C0418A981FE7478A2ADB0CE373C3F2
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...e.Xf.........." ..0..*............... ........... ..............................j.....`...@......@............... ...............................`...............2..HN...........H............................................................... ..H............text...H)... ...*.................. ..`.rsrc........`.......,..............@..@........................................H........(..P............................................................*..-.~......*..-.~......*...0...........-.r...ps....zr...p......%..o0......r=..p(.....%..o1....$....%..o..........%..o2....%..o4....%..o6....(......o8...,..(.....o8...o....(......*..(....*..(....../.rs..ps....z.(....,.ry..ps....z..}......}....*....0..Y........{....-7.{.....r...p.{.....$...(....s.......%.o......s ...}.......{....o!.....,..s......*F.{....%-.&*("...*r.(.....-.r...ps....z..}....*.0..0.......~......{

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.MeetingAddin.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1096776
                                                                                            Entropy (8bit):5.795453024854296
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:nH7Ek5BVh5Bsu0G179oVVmfLEq2aw+QUZT:H7Eds79oVVmfLEqNw+1F
                                                                                            MD5:AD514AF0C57668FCEE3C7AAD08B398E8
                                                                                            SHA1:8A1E7B31BF4C7784CDAF8497A73CEB5210A8FEF1
                                                                                            SHA-256:37879DF89E78E89ADB33918C3CA4D0DF623CEB059057FA6A7FA828100D98F19F
                                                                                            SHA-512:CC1905C4F7F48B727DA8FC240F641EB881D5C328496EB9ADA257EB09424FB761354C32F08760C60AB192F43575A28917B2C1262AC7E716C2B1A1A13E97297F22
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..0..f............... ........... ...............................T....`...@......@............... ...............................................n..HN........................................................................... ..H............text....e... ...f.................. ..`.rsrc................h..............@..@........................................H...........H............................................................0..%.......~.....r...po2...~3....~3....~3.....sM...}.....{....9.....{....oZ...,.~....r3..pr...po4.....}....+h..{....sd...}....~....r...pr...po4....(5......{....(...+...{....(...+.~....r...pr...po4.....o......o.....X.~......r...po7....D.~3...(8...,..(9...&.~3...(8...,..(9...&.~3...(8...,..(9...&.(:...&.*........."..........."....D......(;...*.(...+.....*.0..C........o......o......,..oa...(=...,....o....+......o..

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.MeetingAddin.dll.config

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):515
                                                                                            Entropy (8bit):5.076136391837345
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:TMHdGzNFF7ap+5v5OXrL/2/tFicYoKV7VirkTyxm:2duPF7NhOXrT2/H9kirkV
                                                                                            MD5:ED080ED5825CF4893CA4F7D1395B9957
                                                                                            SHA1:3905E190109E5DF90676F4716A69C815A6E52B44
                                                                                            SHA-256:29F368DEF465F1AE30DF31EBCA4A976F180DBCF3718605B4ACB0D6DA95A30855
                                                                                            SHA-512:73041863B7916B21A56D5C61933D9922D24B15548D7356DFEE42C3AB617F72A04AA8080F3C5EB3F21D968FFB38C7244D4484E78540BF6BB8FC93600A017E43D0
                                                                                            Malicious:false
                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0"/>.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8"/></startup></configuration>..

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Web.WebView2.Core.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):295008
                                                                                            Entropy (8bit):5.771512173166689
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:6ylhq4ugopeh5eBeGNx8cNe+zcee9eoedTeeIzeqRK0e6eR9pRFIEIEEICepM1Sj:2P4eR9pRFIEIEEICepM1S2LQQs1hP19x
                                                                                            MD5:D3A3E82247F81342E217C92B9C89BC86
                                                                                            SHA1:CBD914785348331AE68528ED71E317ECADDC10DE
                                                                                            SHA-256:B39CA19017B8B99385A588433B4AA1CC87DDE272DA14771A9750F00605D31091
                                                                                            SHA-512:EE5968A216BD402632A0CA1073B8C4CA5303CF28F30002AAAF2E7590B565FA3BF951E7B62320E4E3592DE50B9F56F08ECADCF67B50659DF056BB5812388A962D
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].a.........." ..0..*...........H... ...`....... ...............................b....@..................................G..O....`...............2..`N...........F............................................... ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................G......H.......L9.......................F.......................................0..G.........((...}.......}.......}.......}.......}......|......(...+..|....(*...*..0../........{....- ..{....t....}.......r...p.s+...z.{....*................."..}....*....0../........{....- ..{....t....}.......rZ..p.s+...z.{....*................."..}....*....0../........{....- ..{....t....}.......r...p.s+...z.{....*................."..}....*....0../........{....- ..{....t....}.......r...p.s+...z.{....*.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Web.WebView2.WinForms.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):45152
                                                                                            Entropy (8bit):6.663371468091526
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:iTFfTl1XWYTACPHZDgcE05P4Jjrnh2jwSosuTv1JKa5/Zi/6LsubsOzMnXbD9zMz:iTFbHXLPHZDgcE05P4JjrnawSosu71Jh
                                                                                            MD5:F86AFF1B72BF70884B4BE0CA38919369
                                                                                            SHA1:8D3DDF77DE94F5EAE244AD09F9D2ADDCC2DEF709
                                                                                            SHA-256:69B2BBF16659F98D589942A1A3F344550DD1E03446DF4F81DC4668F1D51CFEC0
                                                                                            SHA-512:718F629F907EDFADFFCBCA135DB6153B2BE001E450940722B43C16279CF9ED0A6384D1205D3287F397B2E8FCD9A5615BB2497E8717B6CF6391EFADF1BB122480
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...03............" ..0..X...........v... ........... ...............................B....`..................................u..O....................b..`N...........t..8............................................ ............... ..H............text...$V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B.................v......H........3..T=..........(q..@...ht........................................(....*..{....*>..}......}....*..{....*>..}......}....*..{....*>..}......}....*..{....-%..(.....(......(......s....(....}.....{....*..#.......?}.....(....}.....(.....(S......(..... . ...(....*..,..(....,.*.(....,...(.....{....,..{....o......( ...*.0..>.........( .....}............s!...("...........s!...(#....{....,..{...........s!...o$....{....:.....(#......H...s%...o&....(#......G...s'...o(....(#......J

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Web.WebView2.Wpf.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):50760
                                                                                            Entropy (8bit):6.631383698123452
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:0X0t7C3ZK8wDP/ryEH0mBO4JjrDXaUfUPLkIFKKa5/Bi/hGvoAwWKSVdxxzXZVP/:0X0t23ZK8wDP/b0mBO4JjrDXaUfUPLkR
                                                                                            MD5:04B900A20C71F7A23BEBA77F88B86308
                                                                                            SHA1:C5BCD7AE974EBF89F6D12F26DBAA9B4FD4CF2A53
                                                                                            SHA-256:BBA041B5BE0946EAEDE57AE31361844CA781C9FAE80607980465C7F2422F83BD
                                                                                            SHA-512:F40B2ABAD653F4433D8B7C665D37000780D7A1289F4B187F8B51CA7C8D577C7D7449A5E12C0DCB1FBBFC45403437D6F9F4AD09CA326239C4D1823908063CE19F
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8............" ..0..p............... ........... ..............................8.....`.................................9...O....................x..HN..........d...8............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................m.......H........;...M..............@............................................(....*F.~....(....tP...*6.~.....(....*F.~....(....tP...*6.~.....(....*F.~....(....tP...*6.~.....(....*6.t.....}....*..{....-%..(.....(......(......s....(....}.....{....*..0..........r...p.P...(.........(............s....s....(.........r1..p.P...(.........(............s....s....(.........rO..p.P...(.........(............s....s....(.........**.(.......*..{....*"..}....*&(.......*..{....*"..}....*..0......

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Newtonsoft.Json.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):714312
                                                                                            Entropy (8bit):5.981067761075983
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:H9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc30:H8m657w6ZBLmkitKqBCjC0PDgM5
                                                                                            MD5:D473F50D1D29B975DA5B6EE0BE8DAA16
                                                                                            SHA1:AAFC94D3C26041CCA3737FDF6240290DBAC1388C
                                                                                            SHA-256:E57E1BD98CF3EB35B61BC5603DA893DD8018BE8CD6CC582D263CD964CE1E47DD
                                                                                            SHA-512:1BB89EBE3EE9D61ECD194ED008C25733C5888FDBDE41A3D248161EE4A708526489A2F79D23EEE97CCAB0D58622ADDE158E07225B8A64AD1F6593CF848206FACC
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................Q....`.....................................O.......................HN.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\OneAuth.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):4255816
                                                                                            Entropy (8bit):6.621144248265792
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:6vVaimCiynv9z1Rgzg5mHIZcAf8liK4B7sCIIcxiVztD4Up1ljWp3HGmhMhS+/Nt:64uz3gcmpXGmiMDTw5
                                                                                            MD5:8E3C04EB2236C4CB93A631AEDC3EA9C8
                                                                                            SHA1:B4E83AEDC2ED818705A0F2EA1C544943D0D830A5
                                                                                            SHA-256:E9E25A64D404F38BF8DC6CFA94A80B7CC8C758A5E32CD671C57BA6F32D05BF63
                                                                                            SHA-512:35F264538670B290DB473CA32E6400FCB3A3D4053180E61F4D49B8CE2D66C8C3C9AD30A60EFCB8D3A2CF1B6B7F75C34B648A52CD85B837E8F954A444543682E5
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........O..................R...................<..........................................................P......8...........Rich...................PE..d...y.Xf.........." .....z*..H......0.&.......................................A......*A...`A..........................................;.$.....;.......@.......=..r....@.HN....@.Pj....6.p.....................6.(.....6.8.............*.....`.;......................text...\y*......z*................. ..`.rdata........*......~*.............@..@.data........0<..`....<.............@....pdata...r....=..t...x=.............@..@.didat.......@@.......?.............@....msvcjmc!>...P@..@....?.............@....rsrc.........@......0@.............@..@.reloc..Pj....@..l...6@.............@..B........................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\System.IdentityModel.Tokens.Jwt.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):94312
                                                                                            Entropy (8bit):5.905204811037498
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:erLOBZPOcQY5bOfk4GftC07uktN9XNEgfpXaXr0iMJgBGILkDzVZl0+88niFF2Gj:eeBZPOcQY5bOM4IuktN9XNEgfpXaXr0s
                                                                                            MD5:A70D021C422B844D5B3708A619466057
                                                                                            SHA1:5F63C78F20FA7E7ACA36C91F209D4215C854C90A
                                                                                            SHA-256:5692B8A4E74EC8484A87D68379FC69FC119E980F79D2765F7FCA5BF5FA302024
                                                                                            SHA-512:A8CDCC3043376A1D25B318739DB7545CCB0ED77C1E134CC03B5A009A655EA6861EE3E7246EBDFFA6D53B6BE31EBFFF93B34322488C1067712F0A280ED2B8ECB3
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g............" ..0.............*7... ...@....... ...............................-....`..................................6..O....@..............."..hN...`.......5..T............................................ ............... ..H............text...0.... ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H.......4_..0...................d5.......................................0..........s....%r...pr...po....%r...pr...po....%r ..pr,..po....%r...pr...po....%rG..prU..po....%r...pr...po....%re..prs..po....%r...prs..po....%r...pr...po....%r...pr...po....%r ..pr(..po....%r...pr...po....%r...pr...po....%r...pr...po....%r...pr...po....%rr..pr...po....%r...pr...po....%rN..prd..po....%r...pr...po....%r...pr...po....%r...pr...po....%r~..pr...po....%r...pr1..po....%r...pr...po....%rm..pr

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\System.Net.Http.Formatting.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):189544
                                                                                            Entropy (8bit):6.2575053993527705
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:MXWun8Jw8fCk/Dvf5eso7DpGbG8pwp2xuRLYs8jn4xo:MXWu8Jw4L/D3UVVGbGbd2
                                                                                            MD5:8FBA542C86765B116FD3B6A397196984
                                                                                            SHA1:47D65C9D0C0D07C4E76F3516C90E7FD1CEAC1B0B
                                                                                            SHA-256:7E0C5104F49C2B79E0261BAB191CF7ED25BBE9C01BCB7DCEDAE5C6AA1F8BA94B
                                                                                            SHA-512:89C05EFE882C226EB55A0D234BE49E2D4D639DB08FB0BF85129E672CE3773EFFA82E7F95EDB1F7DE1F3B8B57B38203AA69E8B84CB51885A9CE9918332DC06D22
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..[.........." ..0.................. ........... ...............................L....`.................................D...O.......................hN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................x.......H.......D...@............v...3..........................................R....s*... ....(....*F....s*.....(....*>.... ....(....*..0..d........(+....-.r...p(c...z.o,...-(r...p(...... ...%......(-...o.....(^...z.-.r...p(c...z.-.r...p(c...z.../.r1..p.............(g...z.o/...rG..p.o0...-'r...p(...... ...%..o/....%.rG..p.(^...z..o1...o2....>....rS..ps3......}.....o1...o4....+E.o5......s........s6.......o7....o8.....o7....o....o9......o:.....&...o$...-....,..o#.....(...+:.....o<...s

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\adal2-meetingaddin.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1769056
                                                                                            Entropy (8bit):6.166747246802417
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:s5EOB1S6bxNZHY6vApo47bw0puGr7WH3TvKsUfWdZAujbC/:s5Ei1S6bvZYn20uGr7UTtdQ
                                                                                            MD5:68489533091EA68287F7F777301585B3
                                                                                            SHA1:4DF72C6058EAEC0595B3737703F75E452EB49704
                                                                                            SHA-256:61B5650FAA6325CD16E3A65739017421043D618B122780C5905AA24A10122ACE
                                                                                            SHA-512:D2297C8A14C44CFCD1E7F06C52E111A25DDAE050A76E72E14F6ED0FBB15D35DEB0ED4AC134D342FE9FA49CF4717177C1763BEE82A1FFA3AF3B7B06C62A4B3624
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......`..$...$...$...K../...K.....v......v......v.....K..3...K..%...K..9...$...H...M......M.....M..%...M.}.%...$...&...M..%...Rich$...........................PE..d....l.[.........." .................]..............................................i.....`A.........................................-..T...47..,.......8...............`N......0%..`...T.......................(....V............... ..x....,..`....................text............................... ..`.rdata..L:... ...<..................@..@.data........`.......P..............@....pdata..............................@..@.didat..0...........................@....rsrc...8...........................@..@.reloc..0%.......&..................@..B................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ar-SA\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62536
                                                                                            Entropy (8bit):6.619052550214228
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:KO9gSK8rih93rkkMy6HMyFPcIk9WvLdQWuB5X2PHJMK1SNahIg8DTuf3T11EikM/:T9gSK8rih93rkkMy6HMyFPcIk9WvLdQM
                                                                                            MD5:918B2973A82BDA52C4AC8A09D2574E1C
                                                                                            SHA1:40FF2FBFC9D48610CA8334696D0A8292E7F98B2A
                                                                                            SHA-256:F43F46284EA5B51849A485A76D6435B37D830EDACE7C3FBD461703A24AD50CE4
                                                                                            SHA-512:41098F24BD33E89F72D4A5F4A2F07D9330C57CD36EADC7DEDB1F793C7C893C231320033BF87E28197EAD74667636444530180C57C78A4E9EE68575B86D285E3E
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..o...................................................k..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\bg-BG\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):65640
                                                                                            Entropy (8bit):6.573404012365602
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:6O9nxMvE5lU94Zs+uNQGChcfaEt5tHBB8spapY1KCcLJIaSgN8AzlaGEikcwsLzv:D9nxMs5lU94Zs+uNQGChcfaEt5tHBB8/
                                                                                            MD5:EB05AC049255AEC7D000FF9164B5C579
                                                                                            SHA1:8CDB9A4576EA58DD1C10F6E3426A01CDFF5E7E6A
                                                                                            SHA-256:ACF1548E834F32D5AC15B7B2393CA55C098F160222052B0EBF9BBB6B86E13DF0
                                                                                            SHA-512:20DEB44D7785D22B5B5787B5640D063DB48E4CB68C3B719C04B9E1BCA21AAAF46F471E6A580DB7C521A98BF2000D2FB02F89E14E81DBC3F18F4FF0600B527BEA
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................08....@...@......@............... ..................................................hN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ......................................................}..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ca-ES\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.4892523851181485
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:3O9PKsQZAjb+f5g3GTGw9dLFqH78Iu3vwUT/aDXeX3iqeVQkiO7imZOEikxgsmzG:e9PKsQZAjb+f5g3GTGw9dLFqH78Iu3vU
                                                                                            MD5:0042BCE2705220E9992DADEB9725B4B6
                                                                                            SHA1:AA3403D14D626E96BFA25807D437AFB70874B7BA
                                                                                            SHA-256:48BA5EB4C48A09339870E676668D46F1A91A12C7DD362C571B0DF8898245665E
                                                                                            SHA-512:61083CE34048F15D7737670F27551822C4ABC84A0021CEFE2942A35C5BBD88A27DD85A6678ED6377F8F041A3002AABA8D7C40623C2733365AAF7A17CF5C5633F
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................:.....@...@......@............... ..................................................HN........................................................................... ..H............text...`.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..6...................................................2..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\cs-CZ\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.561446350526192
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:/O9CKHHlgdQ4L2QSW6YEcNHuSlMGtrVSL4rOeqDuseAT8HNQ3spEik2wsezBlZAv:G9CKHHlgdQ4L2QSW6YEcNHuSlMGtrVSq
                                                                                            MD5:8CD85487C33E93419C0B4DEF6256DE5F
                                                                                            SHA1:C1B6735FB85B9CD557E16286ADC0842302394445
                                                                                            SHA-256:CCCEDB9A5C9E8962EAA1AE49336911FE9B38402A77EB6F402C2E4CBD93C71887
                                                                                            SHA-512:C221DECA3F0C69C6D25F8709AA2501090CF5FE113D1764BA39D7EBD8EC9C1C1B281A8D20F586AD6F52BE17BDAFD58AF85BFF034592FE2A3F6EC4BB7F600F6B0A
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................S.....@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..k...................................................g..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\cy-GB\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60000
                                                                                            Entropy (8bit):6.521529157814906
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:kO9ADi+BGe+Yj+fEligSKm9qI32i3loAECsedjllekCRf4FwpL6pTgskpEikhQsS:R9ADi+BGe+Yj+fEligSKm9qI32i3loAa
                                                                                            MD5:E30390D70C3D4089E674A6A1E953AE77
                                                                                            SHA1:5AAA7EC14E8BF4FAB1BDE339C67E97D0D5BAEF4A
                                                                                            SHA-256:D48E430A4641A2659F425E07EE20F1B7047A958AB3500204315E681F98712199
                                                                                            SHA-512:9E1755C9B874CAB0B7375700289535BF39303275F4AB46DD4B2694D8C4CB8EEA93C0F4ECB267D419F9A43C69B3DA7654425867836066A16494A80A11470727B1
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................K7....@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\da-DK\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59488
                                                                                            Entropy (8bit):6.519135032255633
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:8O9Nhjxn9FWv4GByP5KpHSnLbM9B5vBmGOv0/kOeR/1OgBly2bCx4EikxgsCC4dj:p9NhjV9FWv4GByP5KpHSnLbM9B5vBmGE
                                                                                            MD5:69361950F536EFCB3345972BD44A788B
                                                                                            SHA1:11AAD570C143AB9C2A3FFB9D8F12D6C7376B8291
                                                                                            SHA-256:4778D0F95106388141E524649B5E9D365626A1F00A522D6F0187B4413E633021
                                                                                            SHA-512:024965A5B9FA7451188C4EF63E95840AAE9122935DF35538653C2E66DCEBA40C8DC77686761AD53FFE25AFC1479ECCF5105A551E11BA2D80A9C88CC5EE929235
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ...................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\de-DE\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.501050121893406
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:6O9P3k0b/0/IDJaXmsl/+ToOLWiXp3n4bydq5inL+yPocyx+q92nYHYHzB2iHG36:D9P3k0b/0/IDJaXmsl/+ToOLWiXp3n4k
                                                                                            MD5:82C5114A1BFAF242A09136EC943B30F3
                                                                                            SHA1:0CD51F2771F1B6F12F770C510B1A491177334CD2
                                                                                            SHA-256:665981F1234BFAD8C0108D1C7ECF5097C2EC918D9F164A4B7F8269A43C55917A
                                                                                            SHA-512:FC8638592A7FE0114B8948ED4FB3EE9EDDC20AEFA16C8741D8A706E7A2CC8186E50EBD7E530D1320AD9A80A2A9757CA36140BF3EE4DDD03D0D33A87078783820
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\el-GR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):66632
                                                                                            Entropy (8bit):6.59091502517811
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:+O9OCfiY82Whhf/Oaxtz9dgqn1LsIOYCZx/QxJHDv+sBkzKJMPYBj8UHNDoEikcj:X9OCff82Whhf/Oaxtz9dgqn1LsIOYCZV
                                                                                            MD5:7FE494D6AF0B9325257186DB2F2A5B3C
                                                                                            SHA1:B1BDD6D3156FB5BE8CC7C0FEC22F85DF8F5F3887
                                                                                            SHA-256:DE2284A8BCBFE4B747AE0A53BFB8055791BB2AC63661581C76278674199A05DA
                                                                                            SHA-512:0149FC3ADBCAEE5C710EF05E3B56D5C39577213708485BA045FA3F8223757B7078327B080932593839548DF46481CC506898A4DF63A9F92E3CF650237EAED992
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\en-GB\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):58976
                                                                                            Entropy (8bit):6.513267731001312
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ZO9jlXq39V7UTJazmvWyBmehkkSgwgt7pK1Iq6lDRyFxutpLdcIkey5ZvEikNQsP:k9jlXq39V7UTJazmvWyBmehkkSgwgt7j
                                                                                            MD5:A35042A4DBD03ECE06C1E77A060ABC61
                                                                                            SHA1:F854516FA8503BBC42AE13D484548B82D298642B
                                                                                            SHA-256:373857D0601291C5A931F24E44C55DA79E8ECD6D20FC1F747001F3CC07373D60
                                                                                            SHA-512:3996ADA54AEEA1C1C83535E5D7CA3269340DD7F944DE8B92E274A808350DC513683EDA368135814A9DBE1133A0238A34557DEDD98C9921AE364E9A95EF87C026
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................u.....@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\es-ES\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.497159783858232
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:YO9PcsKNcG6/SfNsIpERGRBPvJV50ATCaHC1B4/QYfsueQ5amCVBjEik7Qslz0ZW:l9PcsKNn6/SfNsIpERGRBPvJV50ATCal
                                                                                            MD5:2204315EF94FB761A9881358A5E76A24
                                                                                            SHA1:23AA21968A31225F55DDDD05786AE3229C034721
                                                                                            SHA-256:790BDA84F8558D880F31BE0D2623BF91B042FB887DE7BC34838B2A7B2F809E84
                                                                                            SHA-512:6C85AE675793BC5692310076C70BFA6E58FC58485FFC3E61815CEA124732B5C70C63C9385E6906F8296274FF021EA4C97E4ECF74CFEA6417438C74747A2864DF
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................#....@...@......@............... ..................................................HN........................................................................... ..H............text...|.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..S...................................................O..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\es-MX\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.496671021509118
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:IO9PcsAbAUxcRLSpEebIfb5lG2vuq9o7UtIbQrZuGl2v/+/UAsO8jEikKAsNzrZL:V9PcsAbAUxcRLSpEebIfb5lG2vuq9sU0
                                                                                            MD5:D55D270FDAA1438E86CB88A50D14307F
                                                                                            SHA1:A263D5CC55A46E6425BCE9755EAB5C71CB130015
                                                                                            SHA-256:E043A91947011D2A147E65CDB2740632D823E16D41972C0FEFA5E8292CE2404B
                                                                                            SHA-512:EC83C29D02D75167562E7B7258FB522DD6A6F37C813F71E265F9D59610F5BC3886965647806F7E58D75F48F3646101657B5CEAD58093DB51A58802C727706F2B
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................q....@...@......@............... ..................................................HN........................................................................... ..H............text...8.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......`...............P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\et-EE\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59464
                                                                                            Entropy (8bit):6.518455229340612
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:YO9pDyWBFils6mKaFq1ZU7iPZn3VfrsYaInkpxOM8zrBwl0xvWbiLv8LEikkwsO8:l9pDyWBFils6mKaFq1ZU7iPZn3VfrsYo
                                                                                            MD5:C9A8FE2E0F679F8463B88547C27255DD
                                                                                            SHA1:C3AACD5338702F76A1BBE8577601850AE96FBEC4
                                                                                            SHA-256:25D3804E16CAF591F113CF8F88FDCC2C7B0FE2CC86F6E443B0FB3B87E3D9B5D1
                                                                                            SHA-512:2DE3028BB76C51E15ED96BC6654C0E8B14548BADB45AEB3719704B51B7532D7CCB4D87CE21C5ADEF5A1E9A50B356F9D4A64BC46EEE9DF61AC46296C1CE07300B
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................i....@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..Z...................................................V..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\fi-FI\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59976
                                                                                            Entropy (8bit):6.5124724749609975
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:vO9WHroG73/MBcBgbQtAIceIZJA4qErCGAqNDEvu/XcgKErjRfxLzqkXzEikrgsg:29WHroG73/MBcBgbQtAIceIZJA4qErCU
                                                                                            MD5:A101FD35F9452436479CBC0569AF5F0F
                                                                                            SHA1:A8270B69B7D54BECD4814E8436AA316EC96D397B
                                                                                            SHA-256:6A8A99D5DC4CB1A0F62D87F8558C6ACF375DE8D696C46920A5FD400B3841D4E0
                                                                                            SHA-512:422C3989345E5E343205433E5709135573ED50AE18DBAC33F9A898E2CDDA65A2CE53DF9A774CF6CF92650057E8BB049B30DAF8216D263507FC20B18357E8959F
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..V...................................................R..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\fr-CA\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.501505785175988
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:9O9ADK9GGZoFZbcS0PFl8SJiJS4+X2uMd0dSBb/yNvd1SiUU/GpgYCv1Ny7iwEi1:I9ADK9GGZoFZbcS0PFl8SJiJS4+X2uMD
                                                                                            MD5:43EBF6698E8ED6E57A8A3FB079F718CE
                                                                                            SHA1:D282791F153159EE4093CB2424DC52C2E334BB40
                                                                                            SHA-256:A3A951E4BED1FD9F001A20886878980EDCCA336CC50054B1C9CDE99A2D2F2533
                                                                                            SHA-512:0111ECFA04BE397A235F2F1549046831577676F90984F34B1919AD1B8B6CA5D8DCA8FCA5650DB99B85253997BA95D6971B43650BB29781EE64BA79B2434EB096
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................W.....@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\fr-FR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.507124752707679
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:XO9ADl++Qh8hF3dLNbJZIeiVFbdQ9cBxIjfwjRGaDZng/7HXwpJjAvvhYpvvFi/N:+9ADl++Qh8hF3dLNbJZIeiVFbdQ9cBxq
                                                                                            MD5:B500AD907A9F4E95314179A34DEC75E7
                                                                                            SHA1:DA22B47E32D7DE1D8BECACF2392CEF47D3460977
                                                                                            SHA-256:893EF5FEBF0F7118E4E7A6EF18A521C6A85A390FBDBB03E19754E83A60841945
                                                                                            SHA-512:4C88E4975E5A375FD8E958B57BC400796540CE80F9B393C77624C0652BEA26B113AF9136B43FD2B7C5BCBEB5382E73EA93743B8F58DB3BE022921B52E2204F55
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\he-IL\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62024
                                                                                            Entropy (8bit):6.56914871344235
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:lO9CElFACr31NvYOv0ffLE2WGNFzw9mgCOppcdIUX/a9BcPF4O9M6XPfEik2BQs+:w9CElFACr31NvYOv0ffLE2WGNFzw9mgX
                                                                                            MD5:4BDBF1DBA1B7B321E15265EE6D7E7195
                                                                                            SHA1:53708179AABE57782275FDDBD5DC03133CF3FE13
                                                                                            SHA-256:A880CBAB569A1A1B79FDD0BF22AABEB970ACD52B7F8DEF9930C8FEA4F2119888
                                                                                            SHA-512:D825BC8A138E5C70FE7E3FC242DE5E03C653C6CD5A97E9D26B29B1294ACD4A74FFD9CA8A3E31B33936A390DFC4E4CB630EC3FD055AADB6CF6BEF9EE958124377
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P ..q...................................................m..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\hr-HR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.500655599661843
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:nO9dO2GxyJQPMKJUlRKXQu+aOdD68/8aEv8Fez74mwBxG211H/KqIG1EikRAs/zN:O9dO2GxyJQPMKJUlRKXQu+aOdD68/8a6
                                                                                            MD5:A17F101F048C7E157FE53D6C533D298D
                                                                                            SHA1:D3D3D09BBBF7269A269368818A039E7EA5779CD9
                                                                                            SHA-256:FC5560A78421EB40350F57221995647C8136156ECC81A8A8E9C1081FD07FF038
                                                                                            SHA-512:F79F07492674C88AC76EF3966C38BC5C7C1A2190A6A5778B5ACACEB8130476FBE7C48C8CC3182663ADC61FCD4BF0C3342EA7CD2147BC6D87B449280F5B93B8E9
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..^...................................................Z..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\hu-HU\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61032
                                                                                            Entropy (8bit):6.545333848393183
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:5O9PebzfDSD12NfIBLCOP8mTtzDd0Wx4Ky6Vlm3KlbcGUYTo1f8Q8ZOQXOQ8M0Qb:E9PebzfDSD12NfIBLCOP8mTtzDd0Wx4i
                                                                                            MD5:E3C3CD6A7D0B5BE8FDAB1353EC88E841
                                                                                            SHA1:25F66AE84F3804709441812F9148CC3638F44ED9
                                                                                            SHA-256:147FC977F5955EE8ADBD02DE361444D7EA76AA52C3F376E817D0031A1798586D
                                                                                            SHA-512:0740D73B3E3AE434119A852DBE23295407547CC45A015B5C41E32AE7D2F9681A8681D6BA30224D8812693B2EE6A8C33C28C0B9A6E1EF6305CCCEDE435FC07898
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................hN........................................................................... ..H............text...(.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......P...............P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\id-ID\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59464
                                                                                            Entropy (8bit):6.487928672817359
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:zO9NagPURiGTqSzcnYzsdxAeetb2YHEKTtWA16o3vPjBjtLP7bUcEikkHwsMzEZv:a9NagPURiGTqSzcnYzsdxAeetb2YHEK5
                                                                                            MD5:E63026CCA00C40945973E40C060537D0
                                                                                            SHA1:0B734DE1E644FCA3B91817956079187F107B88CB
                                                                                            SHA-256:8AF427016925C688B075C8E6621F8141B6CD47C585CD2AEB1E6029F27BE881C7
                                                                                            SHA-512:73CF03C490732D18E94A0076FC3F4ED0B3E20B9FCFB46BB8AEB3FC25F7D3AE38EFE51229170567BC8735AA986A49D4FD06417EA66DE5BF48106AEB50992414BA
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................Ga....@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......,...............P ...................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\is-IS\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59976
                                                                                            Entropy (8bit):6.531167197804544
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:aO9WAqYD97mcB1jaIJB8E3rTYSXxVG12uonduxkeU+BJRUJsQVr1q4EikrkwsOzf:j9WAqa97mcB1jaIJBP3rTYSXxVG12uow
                                                                                            MD5:00F47F64738E11F38F72C6C82FCB84E1
                                                                                            SHA1:1F55D1C6BF1378CA0E8B564E248C2483A59FA07A
                                                                                            SHA-256:49CBA0B6AC65DB3176B850D610055A6F0897F121E1DD6FEAC1F419986627AE24
                                                                                            SHA-512:1B586222146E4897E9B3DF351E9AAFAC4C80958629F1D255225C265B90F7DAEB4DDD9273E8944E08D19BD6278AE49A650B2042F9A7C2D62193131F1C31392883
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................t....@...@......@............... ..................................................HN........................................................................... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......l...............P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\it-IT\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.471403653759095
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:sO9P3y5h0Fp0NK/gRcFvoZ4FKKC2msifHLrEvI2UzpCwqPZHas2dyHrWEikrQws3:Z9P3y5h0Fp0NK/gRcFvoZ4sKC2msifHf
                                                                                            MD5:7024B9BB3F91080CE12B744352561DBF
                                                                                            SHA1:C971444A6DF7F332FDFED322F764DB15EBD398CB
                                                                                            SHA-256:4037E573F2D03C612B1A18EC231B66291722096B9CA9BF5B9EA6387EBFEDEE35
                                                                                            SHA-512:45B4CFFAF77FCA07DEC8EEFFDE6B43BF1F1D54FFE16C66A7F2002E89520CE412243844AE275A01218A7C0767339467731420920C4C943574AB3A6D52919BB6A9
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................n....@...@......@............... ..................................................HN........................................................................... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......|...............P ..+...................................................'..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ja-JP\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62048
                                                                                            Entropy (8bit):6.68305367310075
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:EO9WeuzR+bLcQmuGuRuBG6v7yM5uGJ0HIc2N37cRAoXDuII5ZCUaRvEikkgsRzzP:x9Weud+bLcQmuGuRuBG6v7yM5uGJ0HI4
                                                                                            MD5:07440CAE8E6B27E2BC26386AFDDB70B6
                                                                                            SHA1:76084A1A6A5B8BF6BC688B0D88228F422AC07144
                                                                                            SHA-256:1EED650838D7C0BBEBDB83A1B8D9997D2012FA6E1304E2B7BA6828AF6115F3CC
                                                                                            SHA-512:C759918FF36CEAA7F1F9F4FF22D1AD578E1DE997E0FEFFA005801693815E2F8D1E5200B1975BF4711D5A20067FF72E31B180A504F927E80F82F5F9BF1FFAAF86
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ko-KR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.6739946564864026
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:hO9WAqhvGiu7WCbAfU8Uvg2LKhiM3fYzsKNLz89SghOD/4Ke5XzjEikwQAsAzyZO:s9WAqhvGiu7WCbAfU8Uvg2LKhiM3fYzU
                                                                                            MD5:356873E063BD208A4D216D5276990B49
                                                                                            SHA1:78CBEE7DD690AB66760388D5334C4A4EABE95438
                                                                                            SHA-256:D583A30A4C38711ECF4CE369D153994297705086E264C5D083A0D9BDF016F980
                                                                                            SHA-512:EFBDBEB5569BBEC794D259263129246DD125CE338D2C7225D3DCDFF8BE5685F8D035C567C6E9C78740C7DB7610D1F423D55CC5B12E8F9859A6F1581119F1D392
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ............................../.....@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......0...............P ....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\lt-LT\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.537260960859277
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:vO9B5vAqvshLrR3gUZO2A9oclmD1tdDnpRmtQH2QKDTLXosU2ex+nuYEZEikg9gd:29B5vfvshLrR3gUZO2A9oclmD1tdDnpe
                                                                                            MD5:D02761F132672E5B23C669A12FECDEE8
                                                                                            SHA1:4EDE1CDC961CB562E26D895304EA15DC7861F909
                                                                                            SHA-256:37B47B96EF781DC85D7D16AF45E9CCBECC621BFB8829F3E7F5675DCF30787C0D
                                                                                            SHA-512:0B896B49011A6292ACCBA5A2C2E6AEF9144889A9EB57E37C55AFB2DC11C861FCBCD363C05833F1F3D9E3DF70CD77CBDB5022A1D8AE1B56DD2050C2EF46027251
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................@f....@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\lv-LV\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60000
                                                                                            Entropy (8bit):6.550250140012729
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:NO9jvyffWGiHpdYq84Ae89YJTrjz46UNhNnkGzColMa9TJERMCx+Eik0QsAz6iAY:Y9jvyffWGiHpdYq84Ae89YJTrjz46UNu
                                                                                            MD5:3144EB325CF91713A398CADF793050CC
                                                                                            SHA1:DF26539AD41F2616F7B19A852058AE1057955CA7
                                                                                            SHA-256:79994B09E068AF6A30EAD314DCF59D0DD0F76AFB628108CBFB20667EF04487DB
                                                                                            SHA-512:BFC3BC6AC117435C1F2ACF94417368873502C3DFF6C838273E3BD8D91C394769F2390CA3766FC241CF2533E6593609606272CBF0413ABC75435F1A9AAE4DF2C4
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................^.....@...@......@............... ..................................................`N........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\msvcp140.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):575080
                                                                                            Entropy (8bit):6.521129188359906
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:VUfve/yP6vdqumz2etG5ePx2Fl5/G3XLSNuDaQEKZm+jWodEEVfKF:VPbl9G32UDaQEKZm+jWodEEBKF
                                                                                            MD5:80B9E0B8F82ED4FA77504E8542474E62
                                                                                            SHA1:7A1AB5E2469F66DBB55AA559EEABC802718AB5DB
                                                                                            SHA-256:48E9CB77BFCC210DA6908410C9D604EE5401DAAFCD18A6EDC8028FFE2296CC0B
                                                                                            SHA-512:EFA6D3B877E4809E4EA0903EDA6D500E7227EB5FE034163D3E9299CCADAFB41B2D42E5CB00B015F3BFF46BB302DFC9789E8F60C020D1E8C61817D4F47DC6B9DA
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................s........9.......X..N......N......N......N......N......N.U....N......Rich...................PE..d...c%.`.........." .....8...Z......0$...............................................Z....`A.........................................2..h...X...,............p...9...x..hN......0.......T..............................8............P...............................text...L6.......8.................. ..`.rdata.......P.......<..............@..@.data...p:...0......................@....pdata...9...p...:...0..............@..@.rsrc................j..............@..@.reloc..0............n..............@..B........................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\nb-NO\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59464
                                                                                            Entropy (8bit):6.506596897827211
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:rO9NAXZqHGnAfUPOMnwjxNK0/84Z1aBBX2dulK0rEyKpFbFK0qA5n0EikpAs9tEJ:y9NAXZqHGnAfUPOMnwjxNK0/84Z1aBBN
                                                                                            MD5:EB594ED6AAC282A630EC76A6C666568B
                                                                                            SHA1:CC9405D539AF74D6CBB2907169179B32E2E645D0
                                                                                            SHA-256:71BAE7FCF4BB8A311A91283AA248782C844D9227DB6E1FE04E48A4CAB14AC526
                                                                                            SHA-512:BD31CC0E98DA09876A79C0FAC14C0C196AFF161E96765B4AB347208AE11C4E19BAB15D270C319F3ADE3D8B00FC11946DFDCCF6BF2783F44D9E663895017FEFF6
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................=....@...@......@............... ..................................................HN........................................................................... ..H............text...h.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..@...................................................<..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\nl-NL\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60512
                                                                                            Entropy (8bit):6.489311459832048
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:WO9PR9q4u0ayE7tbVTGDyl5lr41AcUV3tbUe1FdFYWssYYzTRo+0W+zmtq6+D+rn:v9PR9q4u0ayE7tbVTGDyl5lr41AcUV3L
                                                                                            MD5:BD45CE1BBD7F5130195DBD73AD56E606
                                                                                            SHA1:5A817D3AF42A2354FC668BCD4FDFCE0DA0D35570
                                                                                            SHA-256:D02D2FF4F09DDAF6037396B99D25FB1FAED784C6C4CC2170D148E837394BDB52
                                                                                            SHA-512:64478405C87E625E4870A6ACC183625BD8DDE212B2A09A71A7A6E37C2849296D74A70A1E3C4AB09118BA2C800591B820AA842251CBF2DF87EE8FC99009028976
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................aa....@...@......@............... ..................................................`N........................................................................... ..H............text...P.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......x...............P ..&..................................................."..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\nn-NO\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59464
                                                                                            Entropy (8bit):6.514600219985342
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:MO9NlqiUFxfhZjVqvA/hIlCsOdLM0SB3b6RCJmwc3fF1p3Ruoh9lF7+TmuB/BYSw:59NlqiUFxfhZjVqvA/hIlCsOdLM0SB3w
                                                                                            MD5:DB3654FF3F605626B6DCD8FAFC855E1D
                                                                                            SHA1:2438FABB623F8DB213E12B483C050FDC2AC71567
                                                                                            SHA-256:BAB4A85FD4251CCA4F6DFDE973396CA574D320BA0007BAFB5BAC6617082CD1FD
                                                                                            SHA-512:24E47F36164742E83DFC58F3C08B1BEA712C92BF51281E2ED310010DAA0028286BEDBD1B9DF4DC6EBA4E77E62A23CECA45128851EDB0FDA222520C67B50AD0AC
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................j.....@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\pl-PL\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.5286663954726745
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:tO9YM3z1nR8zMuKIJycvcygytrpu8hYGNNxYjEF9dmPTKgMsGRissxEikiQsjzpp:49YM3z1nazMuKIJycvcygytrpu8hYGNW
                                                                                            MD5:2F6D6BF4F97F9FDF61FE4B9247665AC7
                                                                                            SHA1:30B23726BB0006AC28DDB0D5D2E0B7936D50263C
                                                                                            SHA-256:C617711C87A7202A62275AAED8BE5CB7BF5EE8AB6C12B18A830B22653D44F1FF
                                                                                            SHA-512:2F74D1A5003E8F8CF504AAC062BC9F7FA1BFD1E846F8E02DAA5CA6991D576755D83C0B14F90F1BBF6DBDF4B85F5DF945FA4A13DC849982A8BFC31130C6870273
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..b...................................................^..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\pt-BR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60000
                                                                                            Entropy (8bit):6.512637538205462
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:9O9PD+Ztk6ONWg3iynOs5U1jkFhKwKH/PIPq7tzZtq93YcZ8+gGRlEikIQsVzvAf:I9PD+Ztk6ONWg3iynOs5U1jkFhKwKH/T
                                                                                            MD5:8C9EB5AFF7D0004D30947C194E25ECC2
                                                                                            SHA1:959EB3185D0466563B5ACF81D523E66B2159E343
                                                                                            SHA-256:B99AAD3F2F2318CDD199582B671BC3DC3B3FC6EED93B58197A08EE4DC4F3B9D8
                                                                                            SHA-512:3052152934E817301E4F9A5B53A025F659BA736895BDB1B5F477F338D4F50DF7E98ABF4F11AE3E7DF614F57B9718A66FD62E44FBA34C4C09F557FA0C8631B12A
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................D.....@...@......@............... ..................................................`N........................................................................... ..H............text...|.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..Q...................................................M..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\pt-PT\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.492692129735815
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:qO9P3hKCp6OYLZur7K/Wwtzx9RA8YGsBo4bUxOhTeiuQKYGasX2qBEikWwsBspz4:z9P3hKCp6OYLZuXK/Wwtzx9RA8YGsBo5
                                                                                            MD5:8D810F97C5E04EA5CC87E2C8044D6DF3
                                                                                            SHA1:80C1EF7C2F54626C96B6B192662FEE0CC0551B84
                                                                                            SHA-256:D45D72FA2F69646E368DFE35F4796AC0CBF81B1820F5CAA33B15BBD6D9CAFE00
                                                                                            SHA-512:98FDD764AA6682A6AE434D1FE7202F6E2E776FED3142E4AF069704D05CE35EEC1C0B40BD8210BDE309A3DA1E2C2A2ADEA5D377F71065472EF4C760D434421051
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................n.....@...@......@............... ..................................................HN........................................................................... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..K...................................................G..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ro-RO\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.5227816765189095
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:aO9PchEfYkIl57Dr3w8Zw9XS+xd2XHsdlEhm5AtmxhG7TcFzCQOnwxEikrgsmZzp:j9PchEfYkIl57Dr3w8Zw9XS+xd2XHsdx
                                                                                            MD5:BC13EA7F2F6C6488B93EE84A12A5C67E
                                                                                            SHA1:128393D9F9B3D6E6C14232620FBAE67AAB45FE55
                                                                                            SHA-256:29D108F22CE4B6AA310AFF0420DDBE6F085381F4EC5E208E1106C9667CBD8694
                                                                                            SHA-512:38C7289F2D367D29DB10ADFBFAC21BE26287100CA6F34285B63A3B701694088603192890750BD0DAC5171738C7C1E47AA0A8A2360E7682271695973CDBBC7742
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\ru-RU\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):64584
                                                                                            Entropy (8bit):6.607514539190837
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:nO9MFcYvxELwVgZIvKsk24cxu1XVwNCMRTid1j2rIgfdqI5TOfHtUI8EikGGLwsV:O9MFcYvxELwVgZIvKsk24cxu1XVwNCMQ
                                                                                            MD5:5EE803D67F4C341073334A062DCEAEB0
                                                                                            SHA1:B09E00E0BE185271E40488C9F1C6C4FF407B8C76
                                                                                            SHA-256:FF8565E4040DFD48EA209456DD7C54F92CC171F3FAEE6235B366B8B8FC14AED2
                                                                                            SHA-512:C21FDE21097FD9E7E82CBC6F726D2CFBBE3D2B97132AEF6812CF33BA3BD856BDB86EEC504971BB6E2FCDD91A84F4BBC936BE8E02611ADC32E2C79F7A383DF753
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..a...................................................]..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\runtimes\win-x64\native\WebView2Loader.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):151144
                                                                                            Entropy (8bit):6.290559037571387
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:X/bzlLd3z9vuTuKTVFfXaRg2eslTqEtBOx31dlEEW:td3z0qKRRX9Etee
                                                                                            MD5:AAFD0A37DD5E306CE6C049D998DF1ABE
                                                                                            SHA1:C1E60170F45B5FEC06A2708DBE92D6A0EA79F828
                                                                                            SHA-256:6D4E45818E68B910A35EE49076B7C058795BA0AC06AB9D4F9AE39B72B13A0292
                                                                                            SHA-512:C4D023CD37EF87C2DD2EC10B996D055E3B9A52CC5EE0AD555CCF5765D2BE1EAC99E647CB975204E3B4C70D776CE5A35E65956ABDAAFAE00600FA89D5FF625D40
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......a.........." ................`@...............................................^....`A....................................................(....`..................hN...p......d...8.......................(....1..8...........`.......(...`....................text...e........................... ..`.rdata..<....0....... ..............@..@.data...............................@....pdata..............................@..@.00cfg..(.... ......................@..@.tls.........0......................@....voltbl.>....@.........................._RDATA.......P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sk-SK\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.55399526567631
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:frO9gebhHq+ugsPXU6d/ic7SFgw0FAAgWwUT/8IS5RhOYPi5wt7DnTEikDwsQC45:a9gebhHq+ugsPXU6d/ic7SFgw0FAAgWK
                                                                                            MD5:B04010BB25B1AC49817595E2FEEB6267
                                                                                            SHA1:DCBDA104C5112E60BD0CE07D114DFDF03A5445B8
                                                                                            SHA-256:1DACFA2C3100EB9D635E5D6DB5E4F72B451F0175712F62169D3877C454F15B0D
                                                                                            SHA-512:BCA41D6247A724AC8FFA11A1E6108469DE22EF6B71EB679666C680FB347E1A23FFB5522C8C5E69D061F75C2767E9EC1CED6F8C62814F06497D7FE31EC27D31BD
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................m....@...@......@............... ..................................................`N........................................................................... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..K...................................................G..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sl-SI\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.5077376831024445
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:5O9mF2xWvZr5ttPBV5ramm5IgejsnMniPqhm+HFZUI8L0CmJ67V86o1/7EikS+Al:E9mF2xWvZr5ttPBV5ramm5IgejsnMnim
                                                                                            MD5:04D6237AAF39CC1B60A8DDEEDCB8B118
                                                                                            SHA1:81D860BD18C4BC020ECC2C794EE3610FD2DB6F0C
                                                                                            SHA-256:263411C49C7138CD813093CA7BE23A01F8B7934BED41133DDF5838CBF47EA2FC
                                                                                            SHA-512:9E775EC5F197921632E9D65D2F25A83F8FD25EFFC3381D6816C3A8A256C28B3C485491D3E20749E4F962EC36D567E0F080FAE2992A60A5571BC580E647E235EF
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..^...................................................Z..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sr-Latn-RS\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60000
                                                                                            Entropy (8bit):6.509192080147688
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:uO9ADvQ094ML8I+w2zbtseqNaio1KHc4hUyFE4RlxgCwXVn03mO0OHk0Eikogse7:H9ADvQ094ML8I+w2zbtseqNaio1KHc4q
                                                                                            MD5:AEEC00A83C3FBA182F9A931A0A0C7F2F
                                                                                            SHA1:4FEF5D8CFC73550A92036CA984360871E2272721
                                                                                            SHA-256:651DCA613FB0141E7A0AA256D5856F6114073B344A91A614E68B1DF1F87C887A
                                                                                            SHA-512:D54DC3B0FF39C213ED771481441C3C7D689F457A6632BB4BE38DC50EBE3970F6CB7697A535AE8296A5789253720A229ABAF2A2129FA4577535E257E1A3829D78
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\sv-SE\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59464
                                                                                            Entropy (8bit):6.533113744944594
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:xO9NbIMAwsK92xi/p6ZCXczFy597Zh3ndpqW7A7MlN9XXW0LlTcE56HvEikDQsrA:89NbIMAwsK92xi/p6ZCXczFy597Zh3ng
                                                                                            MD5:FF9ECD9B097075575B6B0B71FE7C8431
                                                                                            SHA1:C1D67459FCF36A5DE54FA88A8195F9A41F4F7E09
                                                                                            SHA-256:F18142E0B49C0BBA9E3F16C45179E5F86372C0EA9199CEB6F95875352ADE5EAD
                                                                                            SHA-512:CA32500A21F91762C3C8E8C3935C493D780262E5E5DA27E031A7DD1BB410E5E5774202BA1DB4BC7321B5BC64310E1F4F53E31C84FE38937DE1B1CAB6FA8EA5F7
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................T.....@...@......@............... ..................................................HN........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\th-TH\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):69224
                                                                                            Entropy (8bit):6.490605086681413
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:QO9f4A05v/3yGE0k4otwhknztUWCH34BsBrs+9XgaCTK6pO3/SNmKWREikrwsmzA:99f4A0533yGE0k4otwhknztUWCH34Bsi
                                                                                            MD5:3E5B1BCE67D4B752BA5C5849DFAB2500
                                                                                            SHA1:070C92D43E04F7FE17E617B7885D0E4DA09CFDDF
                                                                                            SHA-256:6DA0C2FA24300190CBE93EDD1EE7D9D1BAEAAE5FE4E41485FA9928F93190FF63
                                                                                            SHA-512:9D4A640F9C9D1FC8F1402024F1080BA2BB669BB0522313BCE8D4E9BFD136DED3EB11447866F1856487DF6FA407FBA072D7D7B29F0FC538E7EE676775DDA69B9A
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................A....@...@......@............... ..................................................hN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\tr-TR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60512
                                                                                            Entropy (8bit):6.536989118356474
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:5O9gSA64YW8K4MZQ00EOS4Lhq4YFfmKAZ2tWD5WtcRxzkebFbrLyPPEikYAsZIz3:E9gSA64YW8K4MZQ00EOS4Lhq4YFfmKAN
                                                                                            MD5:ECD1472F7619D89326F308DABA8CFFE3
                                                                                            SHA1:AC4FE0B2501AF9FE2866F0D028C5FCD56768D431
                                                                                            SHA-256:9A41DEA86E5298CAC5F601F58BA4100DF330B8C342064ADE82F75C517A3B0CA6
                                                                                            SHA-512:497CDE74ED8A0F2C264895B27DBA345725EE35D886CF4530A2CFA62FD71A2B2D121A5E0A7900C890CE73EBE539B57B82E71FBD4C06DABCA68397B596770F9041
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\uk-UA\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):64072
                                                                                            Entropy (8bit):6.608282850162704
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:vO97noksNVY4yQM8s8KU9oTU9j6qImAdgM3XRPW+292RK/1BI3HkkKajOhEiknAz:297noksNVY4yQM8s8KU9oTU9j6qImAdU
                                                                                            MD5:91D5B8C378ABD54B49E001DB04413E73
                                                                                            SHA1:8DBFE4F8589F584D05330FACEA335955905E090C
                                                                                            SHA-256:123C3AC7668699DAC8D68E84E31CAD657244E5CB25C698525D1CDD1173D4C0EF
                                                                                            SHA-512:D0E689C099FF906EEB33B947E59C3753EFDDE762D3250F6A506C54179A2C11813ABCD7F99C7792E8072A6DE7DC6D31D27FA47A138AFCD827EC14A69FD405874C
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................x.....@...@......@............... ..................................................HN........................................................................... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......H...............P ....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\vcruntime140.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):107080
                                                                                            Entropy (8bit):6.637040413259322
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:rWD4eUp+HQpcNg0MFdH+F7fecbTUwevPGY:riPUuQpRdUNecbTUPn9
                                                                                            MD5:A973A87E053354B8E5BCA3940970EDA2
                                                                                            SHA1:74B0ECB1754C0590AC124DCC838A41FC55B34AB1
                                                                                            SHA-256:DCC03DB3271E2BF54D44A790119799DF9E217B73DB84578B24B5EC9F082E4BB4
                                                                                            SHA-512:8E256712E9D0FF1F328ED85BC7418238C5E65D11950411F437733FA9E6E554F079D25F06985BF7E443B2BC2E44B57C272327173566281CFE65CC7D8ACDB16640
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~.[...[...[.......Y...R...P...[...w.......V.......K.......D.......Z......Z.......Z...Rich[...................PE..d...c%.`.........." .........^......`.....................................................`A.........................................A..4....I...............`..L....T..HN..........H,..T............................,..8............................................text............................... ..`.rdata...?.......@..................@..@.data...@....P.......<..............@....pdata..L....`.......@..............@..@_RDATA.......p.......L..............@..@.rsrc................N..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\vcruntime140_1.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):47712
                                                                                            Entropy (8bit):6.743964781245747
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:qdCm5nhUcxgHY/ntXBzxvbT71oel9zu/AmV9zi:qI1z4hx71d3zMAmnzi
                                                                                            MD5:34798510935FF576CDD2516AFB3D5BF5
                                                                                            SHA1:98E6CEFC2C6761D602742DC23C024977ED71280D
                                                                                            SHA-256:AEAE775B321FDD5B2FDF88D4D21F8119C376D6909839671B35D8E03A04F6B609
                                                                                            SHA-512:F18FB3A2E4A82DF6B025E037D4A730B6985C212936547E0BF19D7AD76D7AA49B06162A773EB99664BDAF1A37932AA2CD35DBBEF83A89BA4C80505E820C3AC13C
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8@..9...8}..9...8.._8...8...8...8}..9...8}..9...8}..9...8}..9...8}.38...8}..9...8Rich...8........PE..d...g%.`.........." .....:...4......`A....................................................`A.........................................k......<l..x....................l..`N......<...(b..T............................b..8............P..X............................text...u9.......:.................. ..`.rdata..P!...P..."...>..............@..@.data... ............`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..<............j..............@..B................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\vi-VN\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61536
                                                                                            Entropy (8bit):6.622372328119638
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:TO9gwu6Q6WwlEaDcQwi2kBPcJ5kGvxF825mb6ZB+D31jnVJvWf6Qjlux6+nEikSQ:69gwu6Q6WwlEaDcQwi2kBPcJ5kGvxF8g
                                                                                            MD5:906FB620C50C4C7EBFF5791603490271
                                                                                            SHA1:37AE916A56C30D81B9617F8503EEED3992FBC05E
                                                                                            SHA-256:2B58D9BE8E4F6C6F621AD28F590A708F5EA2C87B03C276AD6BFCEAFC3FD80135
                                                                                            SHA-512:EE656EC98D1C3CC2B570D8A187B3DC24DB9202812F75372D2A23820870FAA625FCA945BD8D388FD3511744003B236AEC5DCD675945C4E59FD0D3BF51E345F60A
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................6.....@...@......@............... ..................................................`N........................................................................... ..H............text...H.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......p...............P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\zh-CN\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):58440
                                                                                            Entropy (8bit):6.69454740850101
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:BO9WbWCHB/rkbEqBAVidKSlcZSI3+B0ncFytfjCqpXFBwW8jeFLd8EikKwsOnzex:M9WbWSB/rkbEqBAVidKSlcZSI3+B0nc5
                                                                                            MD5:CE1AD81DEDBF6F14A73ACEE060E2A1B7
                                                                                            SHA1:EB494BEB84E84FB1B2F9269623B00CF9D28FBD8A
                                                                                            SHA-256:6412546AAA0E1C24A8381520DFC495C6F9D7789BB912F8EADD48CC7325035E20
                                                                                            SHA-512:FDB847D2B021251CEBED07B437420CD94AAB1BD92B60C3873F33F1B68CD9B0D9A0287C34E23087074251629EA04B7B0F5FBB8AC3C530BD6621D2B601AB04375E
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................a....@...@......@............... ..................................................HN........................................................................... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..9...................................................5..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\zh-TW\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):58472
                                                                                            Entropy (8bit):6.707560977053907
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:nO9WbWqDTFAyR6j4hxW50IEdIhR2Ji1paNSh0CvJaCuXaSQCHM7IXLDEiktwsOwV:O9WbWqDTFAyR6j4hxW50IEdIhR2Ji1p3
                                                                                            MD5:1330C50B0A761AF68E519A0BACD736CC
                                                                                            SHA1:7CC90128B38291F22A483A6F19299ADACFCD62A9
                                                                                            SHA-256:C859C796261C20575473A3B7680B0464BEF20F8A0E3C3807F05D4A360A63167A
                                                                                            SHA-512:BE5290A1384F90FCD564F94FEB2A614768806E224A2E71AC9ABE42289241485781922B406F8D484C0C485FF9778F5E6D43903DB73676C55DC33FD3D87F78C761
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................oD....@...@......@............... ..................................................hN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P ..|...................................................x..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\AddinInstaller.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):33864
                                                                                            Entropy (8bit):6.6749170427672215
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:bgYy+J05SY3wauWD5Epw9z9gElzEpw9zT:FMcYgauA5Ep4z9ZzEp4zT
                                                                                            MD5:7F17A972A3F083FC309E93C9ADA8AA10
                                                                                            SHA1:0072330558FB6E91FE6801DE71ACF06A716BBA5C
                                                                                            SHA-256:98B6CD35884C8AE37F33196A132D0029100C0BA8AD2EE0C084A4870CFA832214
                                                                                            SHA-512:D2B924E1BCD5EB260B17CB58E527E87D6FA9E772088F95DF6369599D7C4FFA3866F83D35F6AB333667C129FA8AE9CEE781A46FE8781B37906A60AFC301EC48CA
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....q..........." ..0..............L... ...`....... ...............................6....`..................................L..O....`...............6..HN...........K..8............................................ ............... ..H............text....,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................L......H.......\)..."...........................................................0..y........(......(.....(......(....-..(....&.(....(....,C.(....s....o.... .. .j1+.(....r...p(......(....,..(.....(.....(......&..*...........ou........{....*"..}....*....0..D........(.....s.....(.......r...p(....r?..p.(.......o.......,..o ......&..*........'4..........@@.......0..^..........&...%..\.%../.}.....(!....(.....s"...%rC..p.o#...%rI..p.o#...}.....(.......s....}......&..*........E..Z.......0..

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Assets\NewMeeting_Large_120.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1016
                                                                                            Entropy (8bit):7.73830447681088
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:+5DjKVMPFXHX5S4wKHWKWZGmy/xRftEircOiO8UN7O3:+5i8HplNRmKtFPPo
                                                                                            MD5:E3B1BA3900BFFAE493B4463F9A6FBC48
                                                                                            SHA1:0BDDCAB7F9537F01900CB7A7AB0FBB1042E460E7
                                                                                            SHA-256:8FDE3D7378D0E9148068C3A9406D5BD754E93C9810FF5D2B8535FC2B65E0830E
                                                                                            SHA-512:8CA0A6304BD871B1F2BECCF6AF9CBB2EC97D05B233B9388CFC760B262509B8BF6F9B50B837D21018FCA6E8627FA11AE67F6AF49440A837701B4C9AE920585246
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...(...(........m....sRGB.........IDATX..W[h.A..w.5..4.-..PA....(*>@k.|..._.OA.k1.X........-..a.(..?.)...........hv.w..fw.... .Xf.>..s...@......z.........*..;%I:.9V.....B.>.;.$.@d.C@.%...W4.K.......).#.....I..u.Fr........8.8....z...UQ......$Y..R.n..#....L.9{.&M.h.6...P"zUQ...a....:.D..Nr.[.u...L.>....K."..'..t/..Yz....--...M.]...e..0.l....!.r./)r.].t..U!.l&...;....i.,I.TD.H......).S...D..P...sV4!.......K.r.|...... ....Q^.5P.VI...`'.........`...S.Z......?............`......9*....g..[.i..Z.\:#.T......2t).b.........Y..<.T...u.`...... \..nL.f.....3A....'7..zD*i-....r].k/Hfk....b:......@.k...,D.k...#.j..Z....@<...}2.a:$...Q.vL..u...o.Z..|I.r?.o.;..".8..{~'.l..fG3...x...W...%V.....h...!.;...gA.$.?F.w..Y...1!..yu.].....fW..>..w..).55b....D7..}.?...._...=.....".+..N.\Z.mup..p..d\y...r+........:..G.Q.S....>..9..[.L.@|.:..qMP8E.B......R7;....Pk..F.......s...N..F@.B.G...0...e.:....T....d_....i:.........5....].sa^.@!..#....'.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Assets\NewMeeting_Large_144.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1237
                                                                                            Entropy (8bit):7.788008184019191
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:GVwVpPtyAjoNiCkbbtwi0G1UA9WdK+oJgsQ6QVdAmwQATjZWwrpFbVD3r:E6FjowPv70tB/oJgl6Q8mXAT1XLr
                                                                                            MD5:6974CFC337BF190D728C6824EF94AFB6
                                                                                            SHA1:741DABA13F01C19518E2E1E72A93DF2C96227934
                                                                                            SHA-256:115340C0940669C7A55670F03737492FB86D5E34E0390E5664EEA3F9B4147B0C
                                                                                            SHA-512:679AFA5D417748680624314A6E5FF63CBF37D11BF5E95FD2D2114076F1DCD75196849EB39B1D456A8A5DB0019EF2C4C2FD61EA70651DAF158B87A69D8B017FAF
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...0...0.....W.......sRGB.........IDATh..YOlTE..f.n....Hl].' ..(.1.......$...&....4.&..=.@..A{C...`0.....$.@cz......m....7~....7......%....}...o...H.$.Ow..r..9'.CS...G.{.j...@F..3_.Bx\vc.`xx....g0..&'...m...\...(F...$/2...+.[..%y.(.A......sZ..Z...._.2..V......."[...SB.Y}....%eUV..@...V......G...8.Q....3..}...+.Rq...`]...\.U..yL.V.<.Z.{.1..5P/".&H...5.....D..x.:..m.b.....l..Gl..S.y....."...k.....cX{i.p..pFHtV.8..)....Y...,;U....O,XQ.*.....,.Z.Eq.V7....B.0..b.......Bs.....Z.........}..wp....E......U.......F..........av.#.!.../.......b..rG....E...ZV..W..]w...\..~.q.f.#...K(.2..bU/.L/.b..7?.....6Cg.y.{.R.......9.O..n..H....tYb....ZR.<.t)-c..t..... ..x../....;..D..k..D.....`.J3.d...m..d.LYi&..@3.-l......z.pE.T..Z.u..R..."P.(T......7.%.... ...9.%.....O..p..5..bQ.F..o.u.o.2.B.....l/...1.8-..e....B......|P.E....vZZ;.Pj...b)..z..r3..s~../B..k6}Z+.."V..[.......T.D.jA*U.n1.%f3:.Y..s.{..*..`I.$.....w..T.H...?..:X..OQ...b.N...

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Assets\NewMeeting_Large_192.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1555
                                                                                            Entropy (8bit):7.805621612269991
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:xyPSt6BuLqrVii+xXSCLqmgDvjUEAkgoX1Amyz/zaY6pGtqPgmeAkG0ZZz:cPSt6G2iimqm+6kgDl/t6iEfGz
                                                                                            MD5:177094A528723CEF49FA2FFDFAB57CF5
                                                                                            SHA1:CBAE150EDCD83F2E9BB87A0BB86CF076EEBC41C2
                                                                                            SHA-256:66CD5E3CFC69AF5087D33C570CFE424B50935B01C27E618CA11822AC7AE6D1E6
                                                                                            SHA-512:AD9394116D2E132EB2BFF48F1AE4AB7AEC5B372FFD2B7B41E29CD8BF26C87725BB48D0C3AD85F7C3C94B4556872A06876D1E95F4AD8A0CF63DD949DBE350D8E8
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...@...@......iq.....sRGB.........IDATx..Z]L.U.>..,.. .[)6<..b41.`..4M.>h..........&.H.l.Y_L..6..&ZiS./.'1....X...F)....dw.z.....30..:7......9.g..@.........n_..V.........]...9F9.?..2C6...u*.h.#.....?..19...U&....P.@_.R.#FY..&....P2~.....~..J..(../...I .y..Q.R3....Q.y....a...8)cwv^.-...?..6s....|....'Z.e:.4_..w....).Uz./\..........pG......N<...1.;..X.XO...a.../.OS.._.).... ..e...dz...*.....\././...u^..-Q.'..R..D.l...._1.5..G. ...t=,a..Bbz.+$J.BNB...V.&7.3....&,..Y..u..0w....}.......v?wv....TF-vN..&&f,..\.#5.....6=..p....y{3...m1....X.(.-VjqO..S..u.x...e..,......3p..."..`..@..0U.d.Le.,......|.....A.d.f>.......m.....{..T L......kD>.....K.....4Qv....J=...o;[...4d. .....O.S_...I.y..*...Q.\..><.....8......r.T.?3.eK.......b..~.@9.....ll......Pkyh...n,m..o.\..&.ai)YJ>E.......I......rWG.tu..ftl.^..R...O.Euu%.....&&K.......Hp.Lx.......*K....cE.,a..`.1....i.h*.5..*!.......7......u.OP.n.[o.A...;.6....".&..o..v.4(34tj......U...C...u...S.N....H.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Assets\NewMeeting_Large_96.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):821
                                                                                            Entropy (8bit):7.630755600269692
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:L9IW0j2BjoUb25MCbt+OzOGKynRHS/0psG7:LaW0l2Ut+ONRy8+G7
                                                                                            MD5:FAFBA571265B20E0EC4423FEAD972E1B
                                                                                            SHA1:B686D74FF48E3B990F0E312BB0F3AF4E8F53069A
                                                                                            SHA-256:1FB3B4832E92B1E2F998CD2FF4A872000822CBB897D869194195E5C4F8D43CD0
                                                                                            SHA-512:D0523CCC27436A80C5A14094AD244349EFE68FB5A813F97539C3025FCC1F05D6CEC9B8FFD04883E35BCD787A36901246687162B4B86717E81E747B2CF035DD2D
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB.........IDATX..VMh.A....i..$-j...C..M...`.T..A..,6.VYj.T..(....=.^...E.....b...4i$.I.....n....<5......y.fv....ZM.z7..Z..QB...t.V..cj"...gK...e........YI.>?$.V.^......ZF...av..cn....Vi.]P.(..).v..Y.P..s....D./n&YpJ..iG....8.Z:..._.......................~3.......Y\.T...H.J......n....c.p...x.n:....i>....i......i.GvLd....SRx5?.....3G...3...i....th.5...._..CGy.....R..q.I.>....\.e>x...#......v...L6OV....uR&.....o.#...y6...c...r,..#...B(..e:.K.6..:.r....+./....g..@..!....N.....=.H....#.....j.K..F.&6Zk..."......d....].Vl...IG.......:...]w$p.+...4.......k.j...$.ja}..x...(%.x.9|..a.d._0sy..>oL.....%<.0.C.....;..(.!tpb"...N.R.Nj..?.."...RH.......8.Gb.P.i..y.L..OMv.Q.o;....[.sQ$A.8}3..cn.!wn.N}..m..#x.'......jV...T.G.?[..3.)......X........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Assets\NewMeeting_Small_120.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):574
                                                                                            Entropy (8bit):7.347738166641519
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7iHKcqzpeXnDvyEqCcmpZndaYcfyYCta8eq0NRFWBOfmcN274Gl2E7:6cqFeXDvyEqEpZdaYcStx0LFgOfzkUD+
                                                                                            MD5:503E86E4628933D17B5B41B4918D6C9F
                                                                                            SHA1:F884F45CF4EF5B435E554EA30F654F076E50BDF5
                                                                                            SHA-256:1C80CC98643E1D060B9443C98E9AFE663125398F7BB99E5BAB2C0EB952C9C111
                                                                                            SHA-512:22D115A09597F7A8CB0C5BCD0E0BBA55798D3A431B28EC27E9DDAA356BF0AF674BDB78E6D9A3911E2750354D42A8AD628EBD0A7716410360F6D1160258E12C98
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.....................sRGB.........IDAT8.c`.....:.....o........'XX...*.....K.&.2.....`>........}....Y ...Li...n.......K....103.1pq..u.].. ...g........`..C.^.*......w...~20...k..4.....d>....0.Bv...~.....>P...A.dddx.. 6L-8R......lY.....>!{..k]8.._@.V.W..@1.&.2.f.L...S..f..L.`...'...Oa.@....f../#.....d........G...F!..c.U..-%..q!#.5d].V.G.2.........$....k....Y.....=V.8......8S....#J....e I.YOQ..)0.(.L`..`db.q............4|.(.s.H...,....Y+a&..r...D:aecm...&..q....Q{..[#.+.a.a4..]b.B.`|d.g...c..j-..L..@|../@'...........".D36.@J.........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Assets\NewMeeting_Small_144.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):627
                                                                                            Entropy (8bit):7.55832772949955
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/76fR8ZKPil+HE3xZKPwUonTJibKpwwCzc8oRNn/Dna+z:7R/PUsE3xZ/zsbKpcI3Dna+z
                                                                                            MD5:75713D844925AC3404D59C5D56DD996A
                                                                                            SHA1:88F0F5B5450772A85FD61FB5FD54C3A6F7E48585
                                                                                            SHA-256:D4746496079E9C334715958852FA8FB59E54DBDEAD19D83001FA15C1793D27B2
                                                                                            SHA-512:B60E132BD5251084B2C7A22591D72DFDFEBB7A24987ADB8E78CA345694F6043C1F3C7A9205B6052CF3846FCF33179506BFF88C1D1BC8093A7563CF150EC5D30A
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR..............w=.....sRGB........-IDATH..TAKTQ.>.7.o&.Y.e...ZhJ..\..-.6AK.@...b.+.h+.. .].m.pg.m.. "....7.x...;...6E.....|.|........&.@..../.....A.[..}...p.Y..Y....j(i_c<)...X \.nq)......OO#.........I,......-.....].4..d.!.....,..Q...vu.-PP.........|.Q^t..@.^..dQe....^/y..'....mA....o.h.....t...x.........A..?q...>....<..#g...S .\..kko.\....l.).L.L.7.l..!KwbP.?" ...?,.w.q-....y.".|.O....Y.4..^J....sC..Z.;~..R....8)H..p.....L!.......[^k.+.u..w.4(.1.Z..q..G.AM..{.gj..L.b.\...\.m~..N.<.f..........Y...K0J..E..^.....D)?..c,.../].p2..1.2.D_u.s.x}...?TL.?~..;P..(.......IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Assets\NewMeeting_Small_192.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):875
                                                                                            Entropy (8bit):7.664401472706693
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:MnF5WncYHQTt0feBgmzpRjRqgnoEmDDxM4xr8LTdIDg5X:MFAncIQhee+mdlRlTmW9uDg5X
                                                                                            MD5:F323D73771349B6374462B8A4B708D83
                                                                                            SHA1:39F8860AEC7AC9FF8DF80C770A23F3AC8C3BE4A1
                                                                                            SHA-256:EA0327CD2D987CF069747F70A317E552C0304170177101AA578F04D2EBE9FFB6
                                                                                            SHA-512:5377FD3886FCDEF87B61F1CC825655E6B977E370563B2C2F7B3BB675B8ADCCE621A47F056945A9C0A41F9C10BF4DF6694167E62A310B146587F898D39E753EB2
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB........%IDATX..VKh.A..I6O.H..$....../Q."....z..*.x. ..."X..`OR,.C..Y.h=."^....Q.U...ib.;..ufg..d7.P.......?.L...p....Lt...-.P/...^I..X4.X..........A./&..'%'.k.....,..\......l.j'Y1f...L.....~p.?n^..N+6xF..^}...3...`..(MN..Q.H.0*^`XCG.^[z......X..0r..\E.n(..@..b..#....._....\..=.,...#.7.....t.x......I.$..-..W1F..o..Q....x...P)......S!......v...zd......+...#...O.....Q.........!..2...$....p.X....g.5....e.o"..V..yQ..I.a<9?..|.t...Z..O..Bv............Z.........r...W#...-.`.(.0.Alkp...7a-..../....Mt`.g.......4.].5.z.X.Z...gz....R.S......-.1.w`a.......<........"..E.4|.X..T...no.M0./..F..k.P.uW.].f$9.pY&......Un..N.3|.......`.....2..e....C......r...g.Oj...t..`..s...PE.].v.,..S.J...P@u..q........[G..0..0...9..Z2].u...|......Ru.......}...6...W&z.4.S..0\..K....n.@a.Z....(..9.........3._.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Assets\NewMeeting_Small_96.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):483
                                                                                            Entropy (8bit):7.310129121242215
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/78zmIphkxF+oabzkBMDRbuyP+3uvNg9e8lJD+SF330YN:46m0hRl+3q+nD+SiK
                                                                                            MD5:A2761DE768472D09D1E02C92EBD144B5
                                                                                            SHA1:60BA18F0FF47B9E9C3E23B5AE9E95E3D319B5C5D
                                                                                            SHA-256:AC7FE3232888BF96C520D586C723149CD3127E1CE7CC65BC35BA1984CC27BBCA
                                                                                            SHA-512:F330DB55B79E561D2DAC1CD051421F91D6981A489A004EB0EAE3AE090B1386DDF46EFB675A9B6F75A0BB83F741B5DA12E4DFB872EE41782773BFAEC9014CA667
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR................a....sRGB.........IDAT8.c`..0..?i.......e....?#.Nq>..<...Y..`.W...00.......?..........;.jX.=6,4....N.|~....._...K1.....A...l....>.{..m....2........;?...<.......\a./.tA.H.?... .l..f.......s....p...V.KB.x.D.)2D.)....l.}........`.....u.!...7,7....H.O.^.B....?..`.D..2...C..e$..:...7...B.`d`..R..D`0?.....~G1.?....KFF...L.. I.(.+6..z...).....d......5.h..q.+.2..,( ,W%-c.....Y\R."........Y..... ...7.@..?..-....JkZj.w.....e.........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Applications.Telemetry.Windows.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1626208
                                                                                            Entropy (8bit):6.836593084030771
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:FiooDWLdfZohLu+Qzv53gyYq/t1CjQaLOGwkR2HwMuTwbXjBWQ1KLgKRw4jZh:Fioo+dfqL81//Ijt
                                                                                            MD5:56782B45762DEE25B58E68D574A91468
                                                                                            SHA1:B36B5BDF938132CDE279F555C3F0FFC58B17C540
                                                                                            SHA-256:19071E7F9D27FE8E766456FA5224A12588DECDED12AE305A082A5BD48E3D1CB6
                                                                                            SHA-512:1161162EF540F5D327367BCE65B39B1154916FF8D36464FF571F9D7D70F9572E48FDFC79B467917792629AE0B4F5B787798858B09370D36BB837D9A1D5D4B9C3
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......&..?b..lb..lb..l|.Xl`..l0..mi..l0..ml..l0..mf..l0..mE..lk.Hla..lk.XlG..lb..l...l...m ..l...mh..l...ml..l...mc..l..4lc..lb.\lc..l...mc..lRichb..l................PE..L...76=\...........!.....l...........n...............................................T....@..............................O..@...........................`N..........@...8...................`:.......P..@...................T...`...tR..H............text....k.......l.................. ..`.rdata..Z............p..............@..@.data....t...P...Z...:..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.IdentityModel.JsonWebTokens.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):78408
                                                                                            Entropy (8bit):6.129481246167649
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:nm6516C0z6v8JyJNPk2DuttJ6gDEkeLGzewZGLzw00f:nmqEC0zhyJNPktDXiGyRv0f
                                                                                            MD5:EEA13258A8B7DE541A74D2912769F2A7
                                                                                            SHA1:542082376A88F30ACAE47D71737A043A05334B1A
                                                                                            SHA-256:E4FA6AC046B919137158954B182A647129990B70399C9894CE6918F0FA893262
                                                                                            SHA-512:A8E7A6F7476867199D2E499ED09F11742593B398FAC4B4F3CA9C2D3496AB2A1B80A5E439F4444342D0A30BB3C74FB1A616E508DD05BBAAF6E54681F5F56BF8A9
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{............" ..0.................. ........... .......................@......D.....`.................................Q...O.......................HN... ......T...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........[...............................................................0..v........s....}.....s....}.....(.....(....,.r...ps....z...@...%.....o.......i.....i.3....(,...*r#..p......%...(....s....(....z...0...........s....}.....s....}.....(.....(....,.rd..p(....z.(....,.rr..p(....z...(....(.....!.r...p......%...(.....s....(....z...(....(.....!.r...p......%...(.....s....(....z*.......C..Q.!......s....!....j.(....r...po...+%-.&~....*j.(....r...po...+%-.&~....*...0..F........(..

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.IdentityModel.Logging.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):41032
                                                                                            Entropy (8bit):6.710594759580758
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:vS0Nb06pBrs9OoJu8Gw1OQaXV9zPgEllVXC4dC9zVj6N:vnb0NO217GnzPZ/C4dezF6N
                                                                                            MD5:E6F3F341BAEB31F4196C3085FB34F767
                                                                                            SHA1:D78EBC71D36B06E0DA7FA41E6D7888FCC71042B6
                                                                                            SHA-256:4BE875B73CD50A95A1480FD3330222C278903DCFA9EE73263198D860827EA9AF
                                                                                            SHA-512:A38A81B096D215E04947BDD2E7D1532E676C8E84DD9CD598D98EE5EBF5C1197CF1AC690F28DA0EAB3DC1CA42CE0CD9F1EAA0901E7CD55C1ECA927D86E880C365
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[c............" ..0..H...........g... ........... ....................................`..................................g..O....... ............R..HN...........f..T............................................ ............... ..H............text....G... ...H.................. ..`.rsrc... ............J..............@..@.reloc...............P..............@..B.................g......H........,..x9...................f.......................................0..I.............r...p...........r...p.....r...p.....r...p.....r7..p.....s.........*:.(......(....*.~....*.~....*.......*.~....*.~....*.......*~.(....,...(...+(.........(....*..(....,..,....(8...(....*..(....*..(....,..(.....2...(...+(.........(....*..(....,!.(.....2..,....(8...(....*..(....*..(....,..(.....2...(...+(.........(....*..(....,!.(.....2..,....(8...(....*..(....*..(....,..(.....2...(...+(....

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.IdentityModel.Tokens.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):937544
                                                                                            Entropy (8bit):5.838809981110096
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:uMt+vIZDreuKQvgXyexT4Yn2sxGwmBgjoIb:jVbgXyeV46xGjBgj1
                                                                                            MD5:528D783F83C540EFC5F138D21E8C1696
                                                                                            SHA1:64F87F45719CA06143AA6328A52E6A96285DA63A
                                                                                            SHA-256:CE06CDE2B771E6E215CA9A10F8739A23AB2990A53C32301E42838D40E8E355F3
                                                                                            SHA-512:ED2562BE767103C2FD7179B0F632A2250F8EF97950341C6D0FE6AC8BA347499682CF7201289169855F313D47833F863FCC110B54864A8BBABF046FFD8B5902CF
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........." ..0.................. ... ....... .......................`............`.....................................O.... ..................HN...@..........T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........0..X...................T........................................(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{.....3...{.......(....,...{....*..{........-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+%.{.....3..{.....o....,..{....*.{......-....(....*.0..H.........{...._....{......s

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.AddinLoader.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):252512
                                                                                            Entropy (8bit):6.362389658905794
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:yDooTOC7Qc83rAUPtqy/KOak1VLsJYI52ZTG1h7iriwV3nm:yDoor5+lqyCa5sJ/7imAW
                                                                                            MD5:7FEB8740803639B2D4F945032AD5AB35
                                                                                            SHA1:1A96043B957A544D2A683A9F34273B3D4D410176
                                                                                            SHA-256:7AF7AB8BAE45CC39108640B02BF864A0923EA9249C11D11DFDB375ACCE6A5787
                                                                                            SHA-512:0469C31C0BD093C46FE6268B1EB6FFE512F198C1EAD0B4D463072F2C0F5AFE7A09A4C80F8FBA89714B2B54DB3C111AEF066FBE0D862EF2C2EAA86E8D4E5DFDA2
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........iL..."..."..."..p....".}&...".}!...".}#...".}'...".p&...".p#..."..Z...."...#.w."..}&..."..}'..."..}"..."..}...."......."..} ...".Rich..".........................PE..L.....Xf...........!.........r...............0......................................;.....@A........................@.......0...,.......pj..............`N......P(......T...............................@............0...............................text...:........................... ..`.rdata.......0......................@..@.data...............................@....rsrc...pj.......l..................@..@.reloc..P(.......*...b..............@..B................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.AuthLib.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):40520
                                                                                            Entropy (8bit):6.639030202064737
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:oom7dmnAf1mkMF51ap+v/7pKK4gKK9zNEgElAVXC4dC9zVj6YM:aR+aps7pfNfzWZ8C4dezF6YM
                                                                                            MD5:B05D496887FE2A9E6EB1B054D7C67FD0
                                                                                            SHA1:D67E9867684EB6ADC456A8A12DA59A043ADD9F63
                                                                                            SHA-256:B66E0755E36F168AF5AB5EBF6FC493FFC6ACF322DF0446DBF03D9531F1ADFE81
                                                                                            SHA-512:2C5BD0172B2D9B7CD629B22B25E7C7A1FF19BFC7A831F622E7A388AA4D9F2FE3F2A6D2A48F5BFB81B727BEAD80B07A07F5C9EA1777747EBBC46E806398223D2F
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..0..H...........f... ........... ............................../d....`.................................Df..O....................P..HN...........e............................................... ............... ..H............text....F... ...H.................. ..`.rsrc................J..............@..@.reloc...............N..............@..B................xf......H........-..t7............................................................{....*"..}....*..{....*"..}....*V.(......(......(....*~.(.....s....}.....~......}....*.0..+..........{....~....(....,....{....(.......(.....*.........##.......~....*..0..........~.....r...po....~......!...%.r...p.%...%.r-..p.%...%.rE..p.%...(....r...po.......{....~....(....9.....{..........(.......{....~....(....,r(....o....(....rc..p(....(....&.....(......~....(....,+....}.......(....&..@.(....&. .....

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.Diagnostics.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):33384
                                                                                            Entropy (8bit):6.800503141051873
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:Vd5BNiiCEvdA5LfyacHbZTmwBWYsQWRCs1MR9zlN5W2pM/NEHRN7b2IR9zgRqt1O:VdrF05xwn0U9zl+2pIAKU9z/0
                                                                                            MD5:32743467628DB11AC5AC9C7BECF72430
                                                                                            SHA1:26FF39C01012934345C3FD4B156CEC0BD240941D
                                                                                            SHA-256:79906800C06A9B80BB204233EBB7EF05168218C687B47E7AC1DACE115A028CF1
                                                                                            SHA-512:09455FAEAF0E21D1E6C2A5413C259AF8AD44E674B9EAA766DB9CB4C71A659B3E77177C52292B67983900AABFCF8B5A31FBADD4FB711A72D8DFE5A1EDF24B5C2C
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..0..*...........I... ...`....... ....................................`.................................PI..O....`...............4..hN...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................I......H........(..P............................................................*..-.~......*..-.~......*...0...........-.r...ps....zr...p......%..o0......r=..p(.....%..o1....$....%..o..........%..o2....%..o4....%..o6....(......o8...,..(.....o8...o....(......*..(....*..(....../.rs..ps....z.(....,.ry..ps....z..}......}....*....0..Y........{....-7.{.....r...p.{.....$...(....s.......%.o......s ...}.......{....o!.....,..s......*F.{....%-.&*("...*r.(.....-.r...ps....z..}....*.0..0.......

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.MeetingAddin.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1097800
                                                                                            Entropy (8bit):5.792143415990996
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:AH7EkgPiZ5Bsu0G179oVVmfLEq2awGQUZ:a7EbXs79oVVmfLEqNwG1Z
                                                                                            MD5:257D3AD395C9CF96B0B06DE7AF86959B
                                                                                            SHA1:B6C9A1E7EB119C7A8FF4FA0F9D3FB96DAA7E25FB
                                                                                            SHA-256:D6E3E4C181A50F751BF0ABB51E9F678B8A670144C7ADE4DB99103A2AFE9FFFE8
                                                                                            SHA-512:061473D98CF2397607CB83EB59F49F028D2441B1F18E11B64F096E3FD2FE85D8A400FCC9CF60CA7C596218BED46CEC417ABC16ADBAFC899DC678977AE58D5A4F
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..0..h..........F.... ........... ..............................w.....`....................................O....................r..HN........................................................... ............... ..H............text...Lf... ...h.................. ..`.rsrc................j..............@..@.reloc...............p..............@..B................(.......H...........H............................................................0..%.......~.....r...po2...~3....~3....~3.....sM...}.....{....9.....{....oZ...,.~....r3..pr...po4.....}....+h..{....sd...}....~....r...pr...po4....(5......{....(...+...{....(...+.~....r...pr...po4.....o......o.....X.~......r...po7....D.~3...(8...,..(9...&.~3...(8...,..(9...&.~3...(8...,..(9...&.(:...&.*........."..........."....D......(;...*.(...+.....*.0..C........o......o......,..oa...(=...,....o....+.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.MeetingAddin.dll.config

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):515
                                                                                            Entropy (8bit):5.076136391837345
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:TMHdGzNFF7ap+5v5OXrL/2/tFicYoKV7VirkTyxm:2duPF7NhOXrT2/H9kirkV
                                                                                            MD5:ED080ED5825CF4893CA4F7D1395B9957
                                                                                            SHA1:3905E190109E5DF90676F4716A69C815A6E52B44
                                                                                            SHA-256:29F368DEF465F1AE30DF31EBCA4A976F180DBCF3718605B4ACB0D6DA95A30855
                                                                                            SHA-512:73041863B7916B21A56D5C61933D9922D24B15548D7356DFEE42C3AB617F72A04AA8080F3C5EB3F21D968FFB38C7244D4484E78540BF6BB8FC93600A017E43D0
                                                                                            Malicious:false
                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0"/>.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8"/></startup></configuration>..

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Web.WebView2.Core.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):295008
                                                                                            Entropy (8bit):5.771512173166689
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:6ylhq4ugopeh5eBeGNx8cNe+zcee9eoedTeeIzeqRK0e6eR9pRFIEIEEICepM1Sj:2P4eR9pRFIEIEEICepM1S2LQQs1hP19x
                                                                                            MD5:D3A3E82247F81342E217C92B9C89BC86
                                                                                            SHA1:CBD914785348331AE68528ED71E317ECADDC10DE
                                                                                            SHA-256:B39CA19017B8B99385A588433B4AA1CC87DDE272DA14771A9750F00605D31091
                                                                                            SHA-512:EE5968A216BD402632A0CA1073B8C4CA5303CF28F30002AAAF2E7590B565FA3BF951E7B62320E4E3592DE50B9F56F08ECADCF67B50659DF056BB5812388A962D
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].a.........." ..0..*...........H... ...`....... ...............................b....@..................................G..O....`...............2..`N...........F............................................... ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................G......H.......L9.......................F.......................................0..G.........((...}.......}.......}.......}.......}......|......(...+..|....(*...*..0../........{....- ..{....t....}.......r...p.s+...z.{....*................."..}....*....0../........{....- ..{....t....}.......rZ..p.s+...z.{....*................."..}....*....0../........{....- ..{....t....}.......r...p.s+...z.{....*................."..}....*....0../........{....- ..{....t....}.......r...p.s+...z.{....*.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Web.WebView2.WinForms.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):45152
                                                                                            Entropy (8bit):6.663371468091526
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:iTFfTl1XWYTACPHZDgcE05P4Jjrnh2jwSosuTv1JKa5/Zi/6LsubsOzMnXbD9zMz:iTFbHXLPHZDgcE05P4JjrnawSosu71Jh
                                                                                            MD5:F86AFF1B72BF70884B4BE0CA38919369
                                                                                            SHA1:8D3DDF77DE94F5EAE244AD09F9D2ADDCC2DEF709
                                                                                            SHA-256:69B2BBF16659F98D589942A1A3F344550DD1E03446DF4F81DC4668F1D51CFEC0
                                                                                            SHA-512:718F629F907EDFADFFCBCA135DB6153B2BE001E450940722B43C16279CF9ED0A6384D1205D3287F397B2E8FCD9A5615BB2497E8717B6CF6391EFADF1BB122480
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...03............" ..0..X...........v... ........... ...............................B....`..................................u..O....................b..`N...........t..8............................................ ............... ..H............text...$V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B.................v......H........3..T=..........(q..@...ht........................................(....*..{....*>..}......}....*..{....*>..}......}....*..{....*>..}......}....*..{....-%..(.....(......(......s....(....}.....{....*..#.......?}.....(....}.....(.....(S......(..... . ...(....*..,..(....,.*.(....,...(.....{....,..{....o......( ...*.0..>.........( .....}............s!...("...........s!...(#....{....,..{...........s!...o$....{....:.....(#......H...s%...o&....(#......G...s'...o(....(#......J

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Web.WebView2.Wpf.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):50760
                                                                                            Entropy (8bit):6.631383698123452
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:0X0t7C3ZK8wDP/ryEH0mBO4JjrDXaUfUPLkIFKKa5/Bi/hGvoAwWKSVdxxzXZVP/:0X0t23ZK8wDP/b0mBO4JjrDXaUfUPLkR
                                                                                            MD5:04B900A20C71F7A23BEBA77F88B86308
                                                                                            SHA1:C5BCD7AE974EBF89F6D12F26DBAA9B4FD4CF2A53
                                                                                            SHA-256:BBA041B5BE0946EAEDE57AE31361844CA781C9FAE80607980465C7F2422F83BD
                                                                                            SHA-512:F40B2ABAD653F4433D8B7C665D37000780D7A1289F4B187F8B51CA7C8D577C7D7449A5E12C0DCB1FBBFC45403437D6F9F4AD09CA326239C4D1823908063CE19F
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8............" ..0..p............... ........... ..............................8.....`.................................9...O....................x..HN..........d...8............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................m.......H........;...M..............@............................................(....*F.~....(....tP...*6.~.....(....*F.~....(....tP...*6.~.....(....*F.~....(....tP...*6.~.....(....*6.t.....}....*..{....-%..(.....(......(......s....(....}.....{....*..0..........r...p.P...(.........(............s....s....(.........r1..p.P...(.........(............s....s....(.........rO..p.P...(.........(............s....s....(.........**.(.......*..{....*"..}....*&(.......*..{....*"..}....*..0......

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Newtonsoft.Json.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):714312
                                                                                            Entropy (8bit):5.981067761075983
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:H9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc30:H8m657w6ZBLmkitKqBCjC0PDgM5
                                                                                            MD5:D473F50D1D29B975DA5B6EE0BE8DAA16
                                                                                            SHA1:AAFC94D3C26041CCA3737FDF6240290DBAC1388C
                                                                                            SHA-256:E57E1BD98CF3EB35B61BC5603DA893DD8018BE8CD6CC582D263CD964CE1E47DD
                                                                                            SHA-512:1BB89EBE3EE9D61ECD194ED008C25733C5888FDBDE41A3D248161EE4A708526489A2F79D23EEE97CCAB0D58622ADDE158E07225B8A64AD1F6593CF848206FACC
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................Q....`.....................................O.......................HN.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\OneAuth.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):3764832
                                                                                            Entropy (8bit):6.859369138253314
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:HEERDAD3OE+TYoUjYnjglMZqCo8q4T3Ka/Z+fsh0EGR+hmahbt3pHGiOTYHf8P8c:HEERDAD3OFYoU8jgGq1V4TaHviOTY8
                                                                                            MD5:C0A14FE8511CF67D40BBC606EFF12A5E
                                                                                            SHA1:9E1A3183E9FDAE57B59C8A5B7A8D86360B175B42
                                                                                            SHA-256:E1B7188C8F3713C188C4B9F3318EB72614C498493342B169234FBDE7FD2DC0D9
                                                                                            SHA-512:4AC4BCF33E039F2404E088FE7E55634F032109EBF53A5EC851525DE75B4116D29CD75D29B186212DF305F6467A47F18D6C6190632FFC0D736C4FD7BA112F43D7
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......$...`..`..`..2...d..Q.G.b..2...k..2...m..i.).n..2...M......<..t...i..t...a..t...s..`..Q......d......a....E.a..`.-.a......a..Rich`..................PE..L.....Xf...........!......&...........#.......&...............................9.......:...@A.........................05.$...$15.|.....7..............$9.`N... 7.4R....1.p...................@.1..... .1.@.............&.T....#5......................text.....&.......&................. ..`.rdata..$.....&.......&.............@..@.data....H...p5..2...V5.............@....didat........6.......6.............@....msvcjmcm>....6..@....6.............@....rsrc.........7.......6.............@..@.reloc..4R... 7..T....6.............@..B................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\System.IdentityModel.Tokens.Jwt.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):94312
                                                                                            Entropy (8bit):5.905204811037498
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:erLOBZPOcQY5bOfk4GftC07uktN9XNEgfpXaXr0iMJgBGILkDzVZl0+88niFF2Gj:eeBZPOcQY5bOM4IuktN9XNEgfpXaXr0s
                                                                                            MD5:A70D021C422B844D5B3708A619466057
                                                                                            SHA1:5F63C78F20FA7E7ACA36C91F209D4215C854C90A
                                                                                            SHA-256:5692B8A4E74EC8484A87D68379FC69FC119E980F79D2765F7FCA5BF5FA302024
                                                                                            SHA-512:A8CDCC3043376A1D25B318739DB7545CCB0ED77C1E134CC03B5A009A655EA6861EE3E7246EBDFFA6D53B6BE31EBFFF93B34322488C1067712F0A280ED2B8ECB3
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g............" ..0.............*7... ...@....... ...............................-....`..................................6..O....@..............."..hN...`.......5..T............................................ ............... ..H............text...0.... ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H.......4_..0...................d5.......................................0..........s....%r...pr...po....%r...pr...po....%r ..pr,..po....%r...pr...po....%rG..prU..po....%r...pr...po....%re..prs..po....%r...prs..po....%r...pr...po....%r...pr...po....%r ..pr(..po....%r...pr...po....%r...pr...po....%r...pr...po....%r...pr...po....%rr..pr...po....%r...pr...po....%rN..prd..po....%r...pr...po....%r...pr...po....%r...pr...po....%r~..pr...po....%r...pr1..po....%r...pr...po....%rm..pr

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\System.Net.Http.Formatting.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):189544
                                                                                            Entropy (8bit):6.2575053993527705
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:MXWun8Jw8fCk/Dvf5eso7DpGbG8pwp2xuRLYs8jn4xo:MXWu8Jw4L/D3UVVGbGbd2
                                                                                            MD5:8FBA542C86765B116FD3B6A397196984
                                                                                            SHA1:47D65C9D0C0D07C4E76F3516C90E7FD1CEAC1B0B
                                                                                            SHA-256:7E0C5104F49C2B79E0261BAB191CF7ED25BBE9C01BCB7DCEDAE5C6AA1F8BA94B
                                                                                            SHA-512:89C05EFE882C226EB55A0D234BE49E2D4D639DB08FB0BF85129E672CE3773EFFA82E7F95EDB1F7DE1F3B8B57B38203AA69E8B84CB51885A9CE9918332DC06D22
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..[.........." ..0.................. ........... ...............................L....`.................................D...O.......................hN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................x.......H.......D...@............v...3..........................................R....s*... ....(....*F....s*.....(....*>.... ....(....*..0..d........(+....-.r...p(c...z.o,...-(r...p(...... ...%......(-...o.....(^...z.-.r...p(c...z.-.r...p(c...z.../.r1..p.............(g...z.o/...rG..p.o0...-'r...p(...... ...%..o/....%.rG..p.(^...z..o1...o2....>....rS..ps3......}.....o1...o4....+E.o5......s........s6.......o7....o8.....o7....o....o9......o:.....&...o$...-....,..o#.....(...+:.....o<...s

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\adal2-meetingaddin.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1443936
                                                                                            Entropy (8bit):6.527875057204511
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:lTLWvdxPRBVcPrV/guppMXb1xaKbtQnVfAEwCnCnT+XgFz4a0of+IJR2:RWvdxPRex/hpskKenVfA8nOT+wFzL0oo
                                                                                            MD5:7B6F85665FC19F835F60DCFD446EEC8A
                                                                                            SHA1:14FF072047A82CD3259D5895F9EEEFBD7F243F35
                                                                                            SHA-256:A7BDE8B9A4073473A28DB5ABE3C12ADDEC08CCDA516F2DC79A79F3BFFFEC5208
                                                                                            SHA-512:2BBD7FE67DD132C8029504F0BC5E50396A0BC26BEB3D705E11F04A12FC13334485345170B72567C9A865227B55E53FD21712CB34231C6A72ED5A96D992017A44
                                                                                            Malicious:false
                                                                                            Antivirus:
                                                                                            • Antivirus: ReversingLabs, Detection: 0%
                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......K.t&...u...u...u`..t...u`..t...u]..t...u]..t...u]..t...u`..t...u`..t...u`..t...u...uj..uf..t...uf..t...uf..t...uf..u...u...u...uf..t...uRich...u........................PE..L....p.[...........!.................X....... ............................................@A........................Pb..T....k..,....0..8...............`N..............T...........................0G..@............ .. ...Ha..`....................text............................... ..`.rdata...h... ...j..................@..@.data............n...r..............@....didat....... ......................@....rsrc...8....0......................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ar-SA\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):63048
                                                                                            Entropy (8bit):6.588536490520649
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:0O9gSK8rih93rkkMy6HMyFPcIk9WvLdQWuB5X2PHJMK1SNahIg8DTuf3TV1EikMb:h9gSK8rih93rkkMy6HMyFPcIk9WvLdQw
                                                                                            MD5:CD9C599823A276D142D9ACB18A8B801B
                                                                                            SHA1:40B12D68A23FF1F31806D56D8A75E3C55A898C59
                                                                                            SHA-256:6412C7FCB2836C0E059FFBA36FDF50882B61A5EC9FF23F780019A52E5C05779E
                                                                                            SHA-512:10CDA635B5F975FACDA13D4480988A465775E6CE00DF0E4D34494D6943347A711B8922AFFD7D96F344A8CBB6FB3EA3A9B4E9E88F83F22C08C42008EB52DA4E5C
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ...............................b....@.....................................S.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......................P ..o...........................................k..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\bg-BG\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):66120
                                                                                            Entropy (8bit):6.543326876591306
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:bO9nxMvE5lU94Zs+uNQGChcfaEt5tHBB8spapY1KCcLJIaSgN8AzlyGEikgUWsQ+:i9nxMs5lU94Zs+uNQGChcfaEt5tHBB8y
                                                                                            MD5:D47B102DB26B2C40ADA0B88864D4BF16
                                                                                            SHA1:5962E4ED89789D36A22130F10F5836EF9FD24358
                                                                                            SHA-256:F0015E72C92B5B83FD23A62F8B0ADF25C53DA2005EB90BDD6ABE83BE4D91158B
                                                                                            SHA-512:72E2F68460CF16EE211A81F50E63A12A61C5838D33D84D5A00C2F9DC44E6AD645A0DB01C22BC739436DD721A5BFE70D2B4E3227517CBFBB04B0C18E6669F444F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................... ............@.....................................O.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..............................................}..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ca-ES\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.459202313419593
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:6O9PKsQZAjb+f5g3GTGw9dLFqH78Iu3vwUT/aDXeX3iqeVQkiO7imJOEikSwsyCT:D9PKsQZAjb+f5g3GTGw9dLFqH78Iu3v7
                                                                                            MD5:158930A69BD74A6476AA3817D1C2BEB1
                                                                                            SHA1:2B9F0777B03832E92C50FCC58BD793C43CE60865
                                                                                            SHA-256:E540D3BBDDAF741A9DDC6F0AB16E4C77115CE1F4B2D4C2037A00285012E0C003
                                                                                            SHA-512:9ED62D6B361248E4AEE394F57488685F4E027D17F91F22C903668E713632CAB33A960B5B4E2F9717194ED1DF7B08816A662E344E04B12B6C81A1C44F61E776D4
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...............................v....@.................................`...K.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..6...........................................2..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\cs-CZ\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60784
                                                                                            Entropy (8bit):6.521074063197344
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:qO9CKHHlgdQ4L2QSW6YEcNHuSlMGtrVSL4rOeqDuseAT8HNQ30pEikrKsBCz9Z4q:z9CKHHlgdQ4L2QSW6YEcNHuSlMGtrVSs
                                                                                            MD5:6169CF3B98276F3CF9974DC2D1CED2D0
                                                                                            SHA1:2D9DCA45E40BF720D1ADB1D2A9F7F20E4F2EA931
                                                                                            SHA-256:45287112403521B91DE985160177515004F2618D0DDD1EA0B3B9EBBC10BA5D62
                                                                                            SHA-512:3CADAA8A166FF5527B8266BC88956319A88230C02E1F279A0805CD3EE39B0542C262EAF7E558AEB6750AF291AD4E3A4264D7F70B6AB4ED60E4D30EF4D739099A
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ...................................@.....................................W.......................pM........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......................P ..k...........................................g..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\cy-GB\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.486964327280261
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ZO9ADi+BGe+Yj+fEligSKm9qI32i3loAECsedjllekCRf4FwpL6pTgscpEik1HsF:k9ADi+BGe+Yj+fEligSKm9qI32i3loAI
                                                                                            MD5:085E2A3801FD052FA78EB35784861A67
                                                                                            SHA1:A08D98B2B03AD9EFC473CF9ED529039983D93D9A
                                                                                            SHA-256:77D095EC973D379CB55A8B88EB3DB34F5FC02BBABE36DA6A25EBA3F2C382EF51
                                                                                            SHA-512:E2AF53D5A6C61C52C0981C83BCCDA87939D64DECE4BF0D48CC1573C4E2D4D3773CA49A3174381BE1AA50D22CA4258229DD0C18C556519AD4A9A6FE457A2D0DD5
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................zR....@....................................O.......................HN........................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\da-DK\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59976
                                                                                            Entropy (8bit):6.487146751316606
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:NO9Nhjxn9FWv4GByP5KpHSnLbM9B5vBmGOv0/kOeR/1OgBly2bCR4EikxRsxEp4i:Y9NhjV9FWv4GByP5KpHSnLbM9B5vBmGL
                                                                                            MD5:97D41B502E4BEAE98B24AA3A4CAE529A
                                                                                            SHA1:0926DBF0CEB2A3ADE1085FA4557038F574390C5E
                                                                                            SHA-256:E33BE073C742689A49FD50F7AF08D1F013DD79C6AD918CE976447BAF84B7AF67
                                                                                            SHA-512:C0A98F9472FA74E6FBBB5AC731F0D1F817B8B272B8E486F67FA23CABD7643D1C72B4901452FE257A7D9D6EDB2F3EB6A91D3AE2050B2CBF9B56FFCDEE0B92A1DA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................>.... ........... ..............................:.....@....................................K.......................HN........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......................P ...........................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\de-DE\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62056
                                                                                            Entropy (8bit):6.434087583320252
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:wO9P3k0b/0/IDJaXmsl/+ToOLWiXp3n4bydq5inL+yPocyx+q92nYHYHzB2iHG3e:d9P3k0b/0/IDJaXmsl/+ToOLWiXp3n4k
                                                                                            MD5:F990C8CCBBA3F311BCB66CC36BD28090
                                                                                            SHA1:D7EFAF9B2022B7EE0C794CB24AD2A8208C570630
                                                                                            SHA-256:305A7A96FCE15405505331D6EF78DB5F88C4FBC32D5E9FE89EEB235DCA3335D9
                                                                                            SHA-512:EE222DCB4DDFB650F18A3A7283AE8DE59FDC3A1E1A4DD58D80EC05C9934AEBD8DC9BAF9C1E77E3B1B5D66334CC7D823B6FBEBA57C6E17447AF8852DF454DC84F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................................@.....................................K.......................hN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\el-GR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):67168
                                                                                            Entropy (8bit):6.566460710824405
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ZO9OCfiY82Whhf/Oaxtz9dgqn1LsIOYCZx/QxJHDv+sBkzKJMPYBj8UHN7oEikcL:k9OCff82Whhf/Oaxtz9dgqn1LsIOYCZZ
                                                                                            MD5:C38DB5F652DE91B18DCCBDFFDCCEC503
                                                                                            SHA1:75BD4F252284E87BD4613913FC9B2D408AF355AC
                                                                                            SHA-256:587A707E0596DD62135410B2922DF2BF4E28A44793366ECB9F80579C8761DBE3
                                                                                            SHA-512:9C7D6775838672A45E98AC7C21679E3607EFEDD7EFB8673965279067AFBB65E88D39961D1309FD586B151049AB2C262361A3DD7E02FA45C7D73B5AE0207A11DD
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................... ............@.....................................O.......................`N........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\en-GB\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60000
                                                                                            Entropy (8bit):6.444190816855698
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:sO9jlXq39V7UTJazmvWyBmehkkSgwgt7pK1Iq6lDRyFxutpLdcIkey5JvEikr+si:Z9jlXq39V7UTJazmvWyBmehkkSgwgt7q
                                                                                            MD5:0826E8C277C0DFE42735A448DB7940C7
                                                                                            SHA1:8A7E1320F58A86745175B1D0301E822BFA04FB20
                                                                                            SHA-256:1AA40D2BBA8F882BC44DF66B9BEA547A61012449DBFA404F3D32762BD728C865
                                                                                            SHA-512:00728861F65405438F7C823A6CCBCA5B841D53F499B9B0B0856A9923B102E9EF36BBE1035AED809EDE3F2A40764F39811259C52A5A0287B9896C303F7805A11E
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................>.... ........... ....................................@....................................O.......................`N........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......................P ............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\es-ES\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.471588224248052
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:vO9PcsKNcG6/SfNsIpERGRBPvJV50ATCaHC1B4/QYfsueQ5amCVBjEikgBs6d3zs:29PcsKNn6/SfNsIpERGRBPvJV50ATCa7
                                                                                            MD5:601CA689F9075A86860FE17F6663A3E8
                                                                                            SHA1:6DF7EE000E7CC0B7E81EAD584BF60F34783B7D50
                                                                                            SHA-256:2D397D019C11FECE226947B075873BB1980FBC456BBFF743D92ABD9CD13AAC2D
                                                                                            SHA-512:8231DC4D221D57A77159206D98AC874F920DB684862F22D43BE1DA0153B8CAF75B89C28BDA423FE9D1C3DF37EDA662426846963FBC7420D1AAAD162D59036ED9
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ...............................v....@.................................|...O.......................`N........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..S...........................................O..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\es-MX\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.46459183752468
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:SO9PcsAbAUxcRLSpEebIfb5lG2vuq9o7UtIbQrZuGl2v/+/UAsOkjEikRVsgz4Zj:79PcsAbAUxcRLSpEebIfb5lG2vuq9sUE
                                                                                            MD5:E74A7CD5447B6A0E49D077774C98E529
                                                                                            SHA1:9A57894B831E59EC3BAE33673D3D384C6CEF2191
                                                                                            SHA-256:E60CB451F0EEA3519C88D69EE4D4214FFBAFA07C6CE75DA722FCEB5090D3FD44
                                                                                            SHA-512:131CB8A58C7B0C814A7AA1472E3CDBD3199BC5B6AABE5FD39AD8D78E00B395D9681089753F89E3194D709F55EE8FB6D13C9EFC3AC246A1CD1F7C8205D189989A
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................3.....@.................................8...S.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H.......`...............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\et-EE\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59976
                                                                                            Entropy (8bit):6.484108194961219
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:oO9pDyWBFils6mKaFq1ZU7iPZn3VfrsYaInkpxOM8zrBwl0xvWbiLvkLEikkls02:19pDyWBFils6mKaFq1ZU7iPZn3VfrsYL
                                                                                            MD5:D111BF070B29A4DB93EDBAB50B0A750A
                                                                                            SHA1:94B22AF2C90254600869ACEBEF6BBC6172598834
                                                                                            SHA-256:21E5E83D0ED84060CE883E628FF61E05B141179CF861B9CBE83C222816AAB6CE
                                                                                            SHA-512:6319377FF841D97379FBA879B3F274A0270C010EE0A70CC624A9862D7F1B46E08ADD69A7DB00B6B62AE7FE670B459F5E956D67C33B67737937088F42F81AFE59
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ..............................*.....@.....................................W.......................HN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..Z...........................................V..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\fi-FI\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60512
                                                                                            Entropy (8bit):6.482124743495525
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:mO9WHroG73/MBcBgbQtAIceIZJA4qErCGAqNDEvu/XcgKErjRfxLzqkPzEikp0sH:/9WHroG73/MBcBgbQtAIceIZJA4qErC5
                                                                                            MD5:4191204671CF8F3D51B7C97034F7E8E1
                                                                                            SHA1:B2CCD154E9679C5EDE4B61784F711F29E255DE65
                                                                                            SHA-256:DE145030538AA124503DFAE7BAD0717A4515EA89E3E6F0F6BAECA72ABDCFA3EB
                                                                                            SHA-512:046F578B6E95C8B5BD38D4D426E65AABDA7412011ED667E18E5B5EDC54BB1355CA5673600800F288C56216B54FD01865D1DC6CF64FF75FCFA4FE05882069BC93
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ..............................h.....@.....................................K.......................`N........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..V...........................................R..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\fr-CA\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.470070999956776
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:NO9ADK9GGZoFZbcS0PFl8SJiJS4+X2uMd0dSBb/yNvd1SiUU/GpgYCv1Ny7qwEik:Y9ADK9GGZoFZbcS0PFl8SJiJS4+X2uM2
                                                                                            MD5:604F05D82D7A9DEBE56EEC6330A8D56B
                                                                                            SHA1:F606FD15D1BFE811996DE48C2B3CBB8C8819F58D
                                                                                            SHA-256:5FB9012845120321AF415301EE387961F75C70BA87BC779725B7A66551219853
                                                                                            SHA-512:3568A1982E827E507615863962D795AAD55CC049A1E98EC9734314B26E43F1BC82C2C8CB6D54BECE4D54427EB9D664881093D095359333C8B91AF6E37577194B
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...................................@.....................................S.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\fr-FR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.474432837189674
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:WO9ADl++Qh8hF3dLNbJZIeiVFbdQ9cBxIjfwjRGaDZng/7HXwpJjAvvhYpvvFi/p:v9ADl++Qh8hF3dLNbJZIeiVFbdQ9cBxS
                                                                                            MD5:3D8EC5640C9A814D8D26483D135E698B
                                                                                            SHA1:15FFB7ECFA9260FF2F0439727D67897240653BF1
                                                                                            SHA-256:20040EB12C4BDE67FDABA345DD18F5D5A55EB1D4BD0E634CC589B7E2C66E6A52
                                                                                            SHA-512:3E39AA837EF2FF7F698CEBF88BB775CB2245902FD8E4702970EE8535CD54D953FBEA5178C99DB0B938C62ED5850E9495F93590689A2A5EEFBCB933D8739545A6
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................I.....@....................................W.......................HN........................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\he-IL\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62560
                                                                                            Entropy (8bit):6.538819459136321
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ZO9CElFACr31NvYOv0ffLE2WGNFzw9mgCOppcdIUX/a9BcPF4O9M6XXfEik2uIsV:k9CElFACr31NvYOv0ffLE2WGNFzw9mgV
                                                                                            MD5:09BB3D444935C528B480C492832BA992
                                                                                            SHA1:17E54297103F0E944C93F4162BE18AEDB8EA0779
                                                                                            SHA-256:85D0797D32892617197026ED00BFE1BB2FE9A07CD64390410133D5C7F430EA15
                                                                                            SHA-512:FA0C1593080AB8AE0723108742824B3574A713F12C25C310A3AAAA4C862D821B86B90F80AE94B1CCCBA3FB5976AA4DA7D43837B634AC3377E1CF80B4F75B2C96
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ....................................@.....................................O.......................`N........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P ..q...........................................m..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\hr-HR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.469806225746028
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ZO9dO2GxyJQPMKJUlRKXQu+aOdD68/8aEv8Fez74mwBxG211H/KqI+1EikdIsuzs:k9dO2GxyJQPMKJUlRKXQu+aOdD68/8aG
                                                                                            MD5:80AFE9776BA5F8489BB61F385635B1CF
                                                                                            SHA1:D518F36C5A4F00C5CA645F9BD21A79E0412E5974
                                                                                            SHA-256:A63DE2AA929E57E502FCF8EE18F1875084E533AA8CDE337D69EFF020012057CE
                                                                                            SHA-512:21EAC6874ABF12C7C182B35CB3C01178FC39F0C2E94BFAE4801A52F863C8A6D86E627F671A541B045A2C52154639A9D85014E142E18C776475020EB350D7558C
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ....................................@.....................................S.......................HN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..^...........................................Z..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\hu-HU\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.516164435968868
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:JO9PebzfDSD12NfIBLCOP8mTtzDd0Wx4Ky6Vlm3KlbcGUYTo1f8Q8ZOQXOQ8M0Q0:U9PebzfDSD12NfIBLCOP8mTtzDd0Wx4N
                                                                                            MD5:01A998681DAA1BFDFA695C533B8C2BB6
                                                                                            SHA1:62D53791A965CEAAADEB8630E608A0D78667B2EC
                                                                                            SHA-256:07FE7C4BFFC7713A0AB9DA12118512E9EE509EE14E603559B27E5DE346A53924
                                                                                            SHA-512:B9AA272B473CED31DB1113B404263D054D5391D10C04453C2F48F6EA3BB36A81C1D8B5B1C67C43D13FFCA417AFD1825D0552E26DED0BB498E7A8FB76E674B51F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................~.... ........... ..............................?K....@.................................(...S.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H.......P...............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\id-ID\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60000
                                                                                            Entropy (8bit):6.46059690688784
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:sO9NagPURiGTqSzcnYzsdxAeetb2YHEKTtWA16o3vPjBjtLP7bscEikksms/pzdR:Z9NagPURiGTqSzcnYzsdxAeetb2YHEKm
                                                                                            MD5:23273432D5E925CA8B9CCE0EB6C0786A
                                                                                            SHA1:5FDB8A49D4E4ACBD4D549F10F5F2D276795B560C
                                                                                            SHA-256:96214337ABEC104DB82EE954B39D3D60F8B2182D51F0DE6135A628BCE6BF6794
                                                                                            SHA-512:E3F204D03B5AF109209EAF53F1FBB2057E50D2BC09A6790AF9459FD6104BD981BA79886D46E70D92BCACA1165C1776385391F9E0017E7F17025263E9A0D6C4A3
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................^.... ........... ..............................g.....@.....................................W.......................`N........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H.......,...............P ...........................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\is-IS\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60512
                                                                                            Entropy (8bit):6.501112106514937
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:bO9WAqYD97mcB1jaIJB8E3rTYSXxVG12uonduxkeU+BJRUJsQVr1i4EikrsYs5Lo:i9WAqa97mcB1jaIJBP3rTYSXxVG12uoI
                                                                                            MD5:DF52D1A710E3DB3ACA1A79D7A9829F59
                                                                                            SHA1:C10201F665058FA42A8BEBBCCF116125E8D1A1EA
                                                                                            SHA-256:15BDA2260386923606A705541673483A76A545250D54EEE3BADE9F7949254906
                                                                                            SHA-512:275F3DDD0A63C54BECBB14A7399ECDC7841929B43E6E192401590853EBDB8EFB78F495EFA27516CAC3BBDF0231F02BCA5F44EDDB6635F6FB9A079FC32E30FB8F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...............................P....@.................................D...W.......................`N........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......l...............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\it-IT\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.438594682971094
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:QO9P3y5h0Fp0NK/gRcFvoZ4FKKC2msifHLrEvI2UzpCwqPZHas2dyHTWEikrPKsq:99P3y5h0Fp0NK/gRcFvoZ4sKC2msifH9
                                                                                            MD5:EFF68E098E6B5AC2EC5DB86D59F2F34A
                                                                                            SHA1:0F63B1FEED689CF723AA5D1F7D89FDCC68025D47
                                                                                            SHA-256:74BC14FB2097D47F0EEC22DFB9429A86C511B3AE55EEA6D771F7E9C9697ED26A
                                                                                            SHA-512:0F09D415684665994C1DCC9AA74C59D5F2D8ED183A6E703D53BDEF08CAF830129D5949C7B7EC2E000FFDB7DB8AB8CF624F896875372C6559BC7FE4E9EB35FCAA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...............................G....@.................................T...W.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......|...............P ..+...........................................'..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ja-JP\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62536
                                                                                            Entropy (8bit):6.6524750201589455
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:UO9WeuzR+bLcQmuGuRuBG6v7yM5uGJ0HIc2N37cRAoXDuII5ZCUaxvEikkTszIzQ:B9Weud+bLcQmuGuRuBG6v7yM5uGJ0HIv
                                                                                            MD5:4D740F1B35367259CCF7C3452FA9409C
                                                                                            SHA1:8BF81202ED93FCDDAA91386EBC7FD621B4177BFF
                                                                                            SHA-256:66F6D9189B9E96F50105B34EE7C83B13929E1FFBB225F0A59B11F05E692526CB
                                                                                            SHA-512:3B78B3C4A4367B2F75DC53EBFE9304B6DCBEC7EB50C06F7810EF2779B19F724A2B2BC10E56842E34277663010ADCB485EA955071A273ED11D187CA047B8790CA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................>.... ........... ..............................{9....@....................................K.......................HN........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......................P ............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ko-KR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.646946212587404
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:wO9WAqhvGiu7WCbAfU8Uvg2LKhiM3fYzsKNLz89SghOD/4Ke5XLjEikwF2sfazmN:d9WAqhvGiu7WCbAfU8Uvg2LKhiM3fYzq
                                                                                            MD5:26A4813F1569907D6E86B960B988746D
                                                                                            SHA1:439E5CDC1F971D0D286E2C44801E4DDAB63A7C8C
                                                                                            SHA-256:C66D0B47609CA2584649FB9EAE85BFEBDE348ABC6FCFF10BA9039735A1AFDCCF
                                                                                            SHA-512:DBAE968A9A40850585867431169DB1620D9D224D7FF6A7E37F2AC50DF5C7BEAAD339355993EF4B4DAAC469118998ADDAFD485ECE5A66439738352932DA37B15B
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................^.... ........... ..............................p.....@.....................................S.......................HN........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H.......0...............P ............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\lt-LT\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.506165117406071
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:sO9B5vAqvshLrR3gUZO2A9oclmD1tdDnpRmtQH2QKDTLXosU2ex+nuY8ZEikgVQk:Z9B5vfvshLrR3gUZO2A9oclmD1tdDnpj
                                                                                            MD5:3566373A90F09BA59EF4F7B1BA2A6FFD
                                                                                            SHA1:FCBF1AC10A7191D471A2341845110E5572A204EC
                                                                                            SHA-256:3365E80B1F4047773B510A5D0B6C0148DCB8D83F503F8F62833CE7BF8CBE9237
                                                                                            SHA-512:0717C7855B2F66399FE367D58E971834122B8DFD5FFE6AA1D4FAB8F36C185A530D7B078BD420C6E54D93381521E15518FBB52C93BA5C38F0F29B94428EFC16B0
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................]*....@....................................K.......................HN........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\lv-LV\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.483761901779719
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:UO9jvyffWGiHpdYq84Ae89YJTrjz46UNhNnkGzColMa9TJERMCR+EikMnsCazydQ:B9jvyffWGiHpdYq84Ae89YJTrjz46UN8
                                                                                            MD5:A71CFA89BB1AC26AE34B8D4815D6B8A6
                                                                                            SHA1:B723CD73F03F7ED4D9366626525A69B868153016
                                                                                            SHA-256:0D19FD402870D85278C10A70474A57DD1A4813656F13AFEDA006E04F4FFA6427
                                                                                            SHA-512:EBD14080E66AD75CA1D4DCA6A792010C964950F6011B1B43DE9A50787AFA5898026A41DBE314409BB83D4F6F6F535AF7DA8181FA46B83861B14FE1186622E562
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................................@.....................................O.......................`N........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\msvcp140.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):447560
                                                                                            Entropy (8bit):6.69362725487304
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:J08z9gRInEQpdGpPkKDyhAm5IiWDfg2n5hUgiW6QR7t5s03Ooc8dHkC2esv:J0CdEQpdG2KDy2m5IjDYA203Ooc8dHkN
                                                                                            MD5:77FA8A6193B1830D2235F48987AEA5B5
                                                                                            SHA1:0B2044D6738773FA174653BB818F4A1FE76FAC89
                                                                                            SHA-256:C2B2103289B656617D85EF90C04A2B8F9CD7CAB1778E69563F884C89D892AB5E
                                                                                            SHA-512:29333B6AB895440E5157F1895E180CAA4181D5DCB387CB626D4FA45CB3818AEA9658DE0C16FB72678425B7694DA39817ED6EF6B45425F57035A00B9070E97B69
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ 2 .A\s.A\s.A\sr1]r.A\s.9.s.A\s.A]s^A\sO5]r.A\sO5Xr.A\sO5_r.A\sO5Yr.A\sO5\r.A\sO5.s.A\sO5^r.A\sRich.A\s........................PE..L...t%.`.........."!.........~...............0............................................@A........................`U......<c..........................HN.......6...W..8............................W..@............`..8............................text............................... ..`.data...L(...0......................@....idata.......`.......2..............@..@.rsrc................J..............@..@.reloc...6.......8...N..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\nb-NO\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60008
                                                                                            Entropy (8bit):6.477288189346955
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:/O9NAXZqHGnAfUPOMnwjxNK0/84Z1aBBX2dulK0rEyKpFbFK0qA5/0EikMqsjz3X:G9NAXZqHGnAfUPOMnwjxNK0/84Z1aBB7
                                                                                            MD5:0060BF986FE2F438507B2D8726406384
                                                                                            SHA1:25996C7B6C49A8554413FEAEEB944ADCA570B936
                                                                                            SHA-256:F376F3B31E296801504C86EA92AA1A593D611805311E7E7710770FACE1A77AEA
                                                                                            SHA-512:90E4B18611FCF5DCC83B077938A43283AA82239EC27D269ABA481F119FC394298985DB5E13D5616EB0F3E418F592526E56230E39036465F524C0D8FA29F681C4
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................b.....@.................................h...S.......................hN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..@...........................................<..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\nl-NL\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.460625681397577
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:fO9PR9q4u0ayE7tbVTGDyl5lr41AcUV3tbUe1FdFYWssYYzTRo+0W+zmtq6+D+rs:m9PR9q4u0ayE7tbVTGDyl5lr41AcUV3I
                                                                                            MD5:37330ED5EA5EA01771D413C98FC32B7E
                                                                                            SHA1:AA17C3B714F4550917A042F483054121B13B17A4
                                                                                            SHA-256:C96FE685D8DD9A0BA9ED3B843FB69DC6722B179B765E028BE695AD1D8E06ED0C
                                                                                            SHA-512:FA7DBC099A56690259C3B37E63A2C6A8D3543AB1058F27714D659FC3FAA827C1A960DC84CB2349CA6B24676FF3575AA61C8EA7D608FD5A5CD63024D6D74DF04D
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................}.....@.................................P...K.......................`N........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......x...............P ..&..........................................."..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\nn-NO\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60008
                                                                                            Entropy (8bit):6.484690147146799
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:LO9NlqiUFxfhZjVqvA/hIlCsOdLM0SB3b6RCJmwc3fF1p3Ruoh9lF7+TmuB/BYSs:S9NlqiUFxfhZjVqvA/hIlCsOdLM0SB3s
                                                                                            MD5:BFA3524BA2302E078FC4BB315DFAEF36
                                                                                            SHA1:5B1DE08A1DD25F1E8A227AEF0FDA478C6C2B3D2A
                                                                                            SHA-256:9C27243B849F4AEAE152B08728731529314F03B32B5B447197914BB134E67A9D
                                                                                            SHA-512:FF0DA53C5DA977AAA2FED565F3BFBEA44E0E8D14E101F9E9CE0E49747CBDC69CD53CDB1AF68A756D28424499A80FE576A2B3FFF5DFE962A48134AD9B69C6C9B7
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................................@.....................................O.......................hN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\pl-PL\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62048
                                                                                            Entropy (8bit):6.499608570162744
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:lO9YM3z1nR8zMuKIJycvcygytrpu8hYGNNxYjEF9dmPTKgMsGRis0xEikBmsTC4y:w9YM3z1nazMuKIJycvcygytrpu8hYGNG
                                                                                            MD5:46CA3125CEFAA641DCEEC37735E99857
                                                                                            SHA1:7479ADEE6400FC727B99647E1393F0BDEDD76FE7
                                                                                            SHA-256:E91C7D8291B548B0C87A8DBF5BA4AC48B070A71EE2624177F40B059A8E920ACD
                                                                                            SHA-512:D6CBFEC4B65328162C295C85142676BD87B0EDCC27016FAF53ABE0391E5586244CE95CC8DC5E7BF35282DA6753B89E18702D5ED2ED654E3E566301A546F0C2C2
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ...................................@.....................................O.......................`N........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..b...........................................^..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\pt-BR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.481733244293592
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:yO9PD+Ztk6ONWg3iynOs5U1jkFhKwKH/PIPq7tzZtq93YcZ8+gGxlEik6nsyzSZL:b9PD+Ztk6ONWg3iynOs5U1jkFhKwKH/P
                                                                                            MD5:754393FD72CE7072C9D1CFB811BD6890
                                                                                            SHA1:09C0FA677E62AE7B73C9227199D73E8E1D3781E9
                                                                                            SHA-256:2104377F7A6D91954814982B2D01D8FB1387242348752B4D74F8DC51CDA3DCCE
                                                                                            SHA-512:2D13331E6E3CEBE88F5904506E766AE914216846BD86437E0064027C79A228B1A825167AC85AD7CF9B0E2A3184483D54E04FD3F760849A5EE95490E535AF72F1
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ..............................L.....@.................................|...O.......................HN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..Q...........................................M..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\pt-PT\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61032
                                                                                            Entropy (8bit):6.4636076325119385
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:EO9P3hKCp6OYLZur7K/Wwtzx9RA8YGsBo4bUxOhTeiuQKYGasX2iBEikQqsnzJAS:x9P3hKCp6OYLZuXK/Wwtzx9RA8YGsBod
                                                                                            MD5:5FF2A9B976FAA2D6D77DED84DABB4F23
                                                                                            SHA1:BFEB0050B14BFC5B19387A5B97E33B75A3810921
                                                                                            SHA-256:79E68866A498DCD35F2B6E7034E41DAE5C4C941B8DE68129D95E42A5F1635921
                                                                                            SHA-512:3B40156578215F3E41D3D03D6ADE09C4E1171B9A13EA8A9A918BE8CABBBB1D537964A2715FB0A10A8F74D20D7D096DF0173CBA62EF849436057B6B17093727B6
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ..............................FK....@.................................t...W.......................hN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..K...........................................G..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ro-RO\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.491906435239392
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:uO9PchEfYkIl57Dr3w8Zw9XS+xd2XHsdlEhm5AtmxhG7TcFzCQOnIxEikTQsUpzx:H9PchEfYkIl57Dr3w8Zw9XS+xd2XHsdP
                                                                                            MD5:210D110E8FD4556BB6D5BADD157FDFAC
                                                                                            SHA1:BFB4682C6C53208F17D29DF7C893EAAC8B2FFC45
                                                                                            SHA-256:CE1F0922E083915A2FD9F386ED239CAC7EB7BD22D5F3646C89EBB43C59EABA92
                                                                                            SHA-512:B09F834515872D35EC304116AF38EAD505DD4FAC8CB8689E770EE11DB706D73A06DE59999D376078B5869BDB592A6450C0479F4F183134EA6E971937D28A685D
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................................@.....................................K.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\ru-RU\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):65096
                                                                                            Entropy (8bit):6.5757659638547805
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:7O9MFcYvxELwVgZIvKsk24cxu1XVwNCMRTid1j2rIgfdqI5TOfHtUw8EikGGUBsR:C9MFcYvxELwVgZIvKsk24cxu1XVwNCMi
                                                                                            MD5:DAFF6FAD7BF7BCF89E924BCBB58CF945
                                                                                            SHA1:D87DA98D42A22B1F4BFE3F67194B163FFB28BC01
                                                                                            SHA-256:EE645F8D963A3143414F09C96149C39076B768B537A64EC0193D416B96A7147D
                                                                                            SHA-512:C107F4616D81F83809CFA1B186E2303E958B0608EED4675153630312D8FF2826C28EF2075F072D7028149792B4CFA5E62261FD0C6971FD5B0E286BE88CA2F686
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................... ......_.....@.....................................O.......................HN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..a...........................................]..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\runtimes\win-x86\native\WebView2Loader.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):120392
                                                                                            Entropy (8bit):6.600820147251668
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:kkutiJKARK95EvS8BBwwgZqoc5+TiEt9XS3RMlyTI:kJti4WZBBdZEt9Syld
                                                                                            MD5:D98053D49BFE481CBC394439879278BE
                                                                                            SHA1:53DC39C37D780D5D5CB3D341C77A304919362BBC
                                                                                            SHA-256:25D0F56DF1146C34F59D291B62E34608D2F7451D817EFFE5E94147CF182ECF41
                                                                                            SHA-512:3CF06146E31574D3C13C13CB6D887C3D66C5E4C47E3291C2B4F3D7F196786668BF257702A8B6D9047BFC986784EF756ED9B1048CF3C9058C129588C19E3F61C2
                                                                                            Malicious:false
                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......a.........."!.................;....................................................@A........................M_......?`..(.......................HN..........D\.......................Y......`................a..<....]..`....................text...o........................... ..`.rdata...n.......p..................@..@.data........p.......`..............@....00cfg...............j..............@..@.tls.................l..............@....voltbl.H............n...................rsrc................p..............@..@.reloc...............v..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\sk-SK\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61536
                                                                                            Entropy (8bit):6.523136812660269
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ZLO9gebhHq+ugsPXU6d/ic7SFgw0FAAgWwUT/8IS5RhOYPi5wt7D/TEikbss5zqJ:o9gebhHq+ugsPXU6d/ic7SFgw0FAAgW2
                                                                                            MD5:E7991B70C6B77FEA9A62C4F8D7530431
                                                                                            SHA1:CAE5F8E620566A0B88BEBB652CA05B6D488BD336
                                                                                            SHA-256:9D57733FF03F65B3772E594C2B724516AAE07B36D278D95551ED0CF9C8E3FB0A
                                                                                            SHA-512:1DFBC4E3D3DF1F096329CFAB20AF3DBE004914389723B72C0FD6C64524FCC0A62D00C9E1970E3AD4EFC5D290E1C3E3270835DC9DE833FF6DF42F8C935F75F1D7
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ....................................@.................................t...W.......................`N........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..K...........................................G..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\sl-SI\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.479386821033209
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:SO9mF2xWvZr5ttPBV5ramm5IgejsnMniPqhm+HFZUI8L0CmJ67V86o1n7EikSlIo:79mF2xWvZr5ttPBV5ramm5IgejsnMniu
                                                                                            MD5:59B16C3C894BE415C7898631A56875B8
                                                                                            SHA1:936B5488D3FA4A719DDB23E77349990F0B608B6C
                                                                                            SHA-256:ECA7D7BEF9C766B58D52A9397950DFD255FD7CEEB6AD7F8A6FE40ADF8F4076C6
                                                                                            SHA-512:3EEFD8BD4E3DBDE781211E21EE7D94ABC1B315DAB170AB6B7C54F50DD8F08423D89F3D31E72EAF55ECCD72F02B8C87CED43D6E0BA93EE9D5F737BB02BC2B009D
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ..............................Fm....@.....................................S.......................HN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..^...........................................Z..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\sr-Latn-RS\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60480
                                                                                            Entropy (8bit):6.4782272527779154
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:sO9ADvQ094ML8I+w2zbtseqNaio1KHc4hUyFE4RlxgCwXVn03mO0OHc0EikbLs7h:Z9ADvQ094ML8I+w2zbtseqNaio1KHc4N
                                                                                            MD5:7A93FD8F03D33164125609576B16F7D3
                                                                                            SHA1:4E9A26CC292F32C46E7AF980138459BB54FCB5FC
                                                                                            SHA-256:7E77C6DB4E49369E22745AFD1902D43B69B63EE3904C98092325101E8E175425
                                                                                            SHA-512:5A7120AE9518A7DC17378589770C65EBB2500F49ECD61810CFCBEB92598A3A1B0759416063CC323F45A7F9F8C62EA8A5C652D29C7D61124F54C9A99CD9AC227C
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................>.... ........... .............................._T....@....................................K.......................@N........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\sv-SE\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.465184220792856
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:WO9NbIMAwsK92xi/p6ZCXczFy597Zh3ndpqW7A7MlN9XXW0LlTcE56fvEiknAs3E:v9NbIMAwsK92xi/p6ZCXczFy597Zh3n0
                                                                                            MD5:EE967F32CA275BFD2ECCCC4E7DF8B2A8
                                                                                            SHA1:ECABCA1D011A740F7BD4A70455BAC993ADE65558
                                                                                            SHA-256:3752413BF675863D6907E3D28CEE268F21F23DA7D867B03316593A93AD9342E1
                                                                                            SHA-512:4CAB44A67A27A5D6DF49DC2DFC90B6445E7B1C42E8C877B77B56850EEB5CF15467D14956F2E549CF34DC2E806040DE7D1653A1E73371CFCB131C51C29B1C8E4F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...................................@....................................O.......................HN........................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\th-TH\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):70240
                                                                                            Entropy (8bit):6.439305964283473
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:5O9f4A05v/3yGE0k4otwhknztUWCH34BsBrs+9XgaCTK6pO3/SNmKuREikFrsFaB:E9f4A0533yGE0k4otwhknztUWCH34Bse
                                                                                            MD5:6427DDA9F993898603DE50DDE1528754
                                                                                            SHA1:4737D69D4F8386C120DDA5A3718C31A7EB061453
                                                                                            SHA-256:90951B5F5A58E50E3A1068FA9DD30D30F8257FC27D1586DC66EDC174559FE529
                                                                                            SHA-512:B4925822276FDDED78553828384EA1A9016B49EAB38116FF0DC9748DA3DB1EEE5349C67586466BFAC29C8CDB1B10A4735ECD72E80A6AC427EFD834FC05B3623D
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................... ............@.....................................O.......................`N........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\tr-TR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.505132466289463
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:lO9gSA64YW8K4MZQ00EOS4Lhq4YFfmKAZ2tWD5WtcRxzkebFbrLyXPEik6ms4pzd:w9gSA64YW8K4MZQ00EOS4Lhq4YFfmKAD
                                                                                            MD5:E1C23198DA9715C0D8814AA42AD73F8E
                                                                                            SHA1:CC56B69059EF89A9CE9507E9B71557C7FAF3EE86
                                                                                            SHA-256:FC03EF162F1247354449D8B7CA9A0975A692E4C2571078BB00275EC40FB4DFF9
                                                                                            SHA-512:5E4CB706ED60D7F20B5587D4D48F9634AA770BC6D482F380100B264C1ADDDA152D19E174DC1FFD7D1446A180DD805CDA4180C4FBC814C6D547606FE33FB2F870
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...............................q....@.....................................S.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\uk-UA\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):64584
                                                                                            Entropy (8bit):6.578204708909461
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:eO97noksNVY4yQM8s8KU9oTU9j6qImAdgM3XRPW+292RK/1BI3HkkKajWhEikvri:397noksNVY4yQM8s8KU9oTU9j6qImAd4
                                                                                            MD5:A788D43CA80284DE4B1F4BE99260CFFF
                                                                                            SHA1:3399A53E1D923C8FF17A7B1708CC80976F205CCF
                                                                                            SHA-256:A54192AC15BB6BAD9BFD1E0A1A958A768A7D2D942E489B4246A0A8D6194E6287
                                                                                            SHA-512:3ABB11B0623A93C9EB4C654B9C8D7DCD9DC2BAA5DAE4B14ED86212C4F9B710F76E438140A405498F2A4AB44748ABF113CE50282BBD0B0483FB80368822142BA4
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................n.... ........... ....................... ......._....@................................. ...K.......................HN........................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H.......H...............P ............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\vcruntime140.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):87112
                                                                                            Entropy (8bit):6.939400200256647
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:0Ihq3RcCBwca4EZEXNciFk+ikPCpecbi/snazkZLzwN3A:0IY3RcCKcajodF4pecbi/78Aw
                                                                                            MD5:BCAE3BAF0F089D495EBC8AEB278244CB
                                                                                            SHA1:30E9D618650A9130743D44702B56D48EEFCDFC73
                                                                                            SHA-256:6D6CD9AA3A3538F5C37A2BFDDCA9FC293AC3C05A4E708257BAFE2EB1AE49F1C6
                                                                                            SHA-512:D76D22999BC7D79F4CC99FC3185CA074B8A3554412C5889BBD4497B1F2774761612791CBA4E58BCD97A38367AEB701ADCB0C5E249E0D3CFF005B19E78534AC49
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|R.|...|...|..%....|.......|...|...|.......|.......|.......|.......|.......|.......|..Rich.|..................PE..L...t%.`.........."!.........................................................@............@A......................................... ..................HN...0.......#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\vi-VN\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62024
                                                                                            Entropy (8bit):6.590924628799334
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:lO9gwu6Q6WwlEaDcQwi2kBPcJ5kGvxF825mb6ZB+D31jnVJvWf6Qjlux6mnEikSz:w9gwu6Q6WwlEaDcQwi2kBPcJ5kGvxF8b
                                                                                            MD5:2C89412B5843494388D50CBC904074BD
                                                                                            SHA1:41B85F801196AAA600B3B151CF9D92B837580BCE
                                                                                            SHA-256:9874B9B27E20695019D48F72700D973258E89909D6606FCA6E72B2F51E9F62FB
                                                                                            SHA-512:180AA2AFDBEAC3FFD6509B6AB3EC9D436AB07324D690A3AFF18E977BE9E3046FD8E07A06024976A425A00EC28C1373786E95A74EBB24FC41623851BE2C34C447
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................4.....@.................................H...S.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......p...............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\zh-CN\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):58952
                                                                                            Entropy (8bit):6.660184048742961
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:iO9WbWCHB/rkbEqBAVidKSlcZSI3+B0ncFytfjCqpXFBwW8jeFLt8EikfBsl3z++:L9WbWSB/rkbEqBAVidKSlcZSI3+B0ncB
                                                                                            MD5:2143E5B5A9E66E73DC29FB4E455C7F29
                                                                                            SHA1:0A92DA431F4C9AC788DBFD5E99F0CB2B0AA7EEA0
                                                                                            SHA-256:7CD1B59BE13DA24CA6881FF41076C37DE6182D636E72CFBAD7BD4C5FCEFC77A1
                                                                                            SHA-512:D98C74DF96125C5EDCFA1C06E127DF75584D7778C739728E10BB3C857503FA526FE6309D45749C3DDFBADD9EFFE472C57EF78ED05DCB8A554BFAA6A64BB01F0E
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................yy....@.................................d...W.......................HN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..9...........................................5..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\zh-TW\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59496
                                                                                            Entropy (8bit):6.636021348116236
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:yO9WbWqDTFAyR6j4hxW50IEdIhR2Ji1paNSh0CvJaCuXaSQCHM7IXzDEikhBsm8i:b9WbWqDTFAyR6j4hxW50IEdIhR2Ji1pv
                                                                                            MD5:1F0BE9447A686B051BDB75E34F0C8EF4
                                                                                            SHA1:ED8B0B02E54334211D1DAB4E3215EDA1C909F0B5
                                                                                            SHA-256:C6D50C31D3AC401DD787B7C9711969988EB552F7633B3D243800380470DDC78D
                                                                                            SHA-512:2A6E73DAF00542959B3BA61B07AF8B58EF3008ACE112D277CF479060961DB59708D7FF53B27CCCEB54A2BA682DEACB5152B7F0B97625847A93554D24B7A26C36
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...............................{....@.....................................W.......................hN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P ..|...........................................x..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\meeting-addin-install-logs.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):1194
                                                                                            Entropy (8bit):5.314813641932776
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:JtNLNHfhlmC8muS/PmiLeLGvefFLlRoHLdW5iCPFC4QOD/0fYeTBjVqwEeOZ:JthNHfhlmC8mu+eiLeCefFLsH8vC4QSj
                                                                                            MD5:43AE4D9AE25074C19EDA31B498A8A9E5
                                                                                            SHA1:CE6A9C06617013CEF58B2BD425FD580DCB94CED3
                                                                                            SHA-256:893F75753EFB608FAA389C117117A4AC65D199743426EB35ED7B229648C00F10
                                                                                            SHA-512:803151854B5D2074869DF18E1BE82B0D970258D2A8C3AB18ABA83F6671FFBD64B031D02F4FEE4E4780686199B8E519104EF2A4A1EBE67717E9D725A56D42D84E
                                                                                            Malicious:false
                                                                                            Preview:2024-09-28-08:46:46.262 pm System.ArgumentException: Cannot delete a subkey tree because the subkey does not exist... at System.ThrowHelper.ThrowArgumentException(ExceptionResource resource).. at Microsoft.Win32.RegistryKey.DeleteSubKeyTree(String subkey, Boolean throwOnMissingSubKey).. at Microsoft.Win32.RegistryKey.DeleteSubKeyTree(String subkey).. at Squirrel.MeetingAddinInstaller.<InstallMeetingAddinAsync>d__15.MoveNext()..2024-09-28-09:18:17.997 pm StagedAppDirectory does not exist. Using Current..2024-09-28-09:46:42.673 pm There is no version.txt. Falling back to getting version from folder name..2024-09-28-10:20:16.183 pm Version: 1.0.24151.1; addinPackageDirectory: 1.0.24151.1..2024-09-28-10:28:17.574 pm .dead exists: False..2024-09-28-10:28:31.767 pm before cleanup unused versions..2024-09-28-11:41:17.159 pm Addin directory exists. Copy was successful..2024-09-29-12:07:16.845 am COM registration. Regsvr Path: C:\Windows\system32\regsvr32.exe, Arguments: /s /n /i:user "

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsPresenceAddin\Uc.tlb

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):455716
                                                                                            Entropy (8bit):5.169510702747751
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:Rs3/0+NAoXAY6nuKGiUpXWFgXFQIY0EH7+0BJmmDAvQNRplh/y6woW0nFTF958lQ:A8CX0Qky6cp+7B
                                                                                            MD5:E3C8B42670EBB0530EE81F427671AAA1
                                                                                            SHA1:F8C75ABC800C7326E6E814947390C14575D691CB
                                                                                            SHA-256:1B31630CD15BFDC663B9630790B968AEE407730DC94F48BB96FBEDAC9ECB1002
                                                                                            SHA-512:4CCA913DD1890DBFA72195EFF3CB5856AC6C01A4A910DF719376EA13264E129823D3788EB874C222534AEE1E1CF7B3ACE71900002252449A872BB3C9447F3B98
                                                                                            Malicious:false
                                                                                            Preview:MSFT................C...........................y................... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB...B..0C...C...C..\D...D..$E...E...E..PF...F...G..|G...G..DH...H...I..pI...I..8J...J...K..dK...K..,L...L...L..XM...M.. N...N...N..LO...O...P..xP...P..@Q...Q...R..lR...R..4S...S...S..`T...T..(U...U...U..TV...V...W...W...W..HX...X...Y..

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsPresenceAddin\Uc.win32.tlb

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):455696
                                                                                            Entropy (8bit):5.167372000083355
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:vtn/0+NqoXAY6nuKGiUpXWFgXFQIY0EH7+0BJmmDAvQNRplh/y6woW0nFTF9589k:98wX0Qky6wN/iZ
                                                                                            MD5:2EB6C328ACE10BEE32EECB6609578AAB
                                                                                            SHA1:3FDE2F845CF62FF557FD49E46FA6F761CFF4C7EA
                                                                                            SHA-256:40F438A5F0D0E9FF5BBCAB29D51BC7B6CBA03548C5DB021A05426665A2F98A69
                                                                                            SHA-512:E4FF466CEBA47C71046985AB1E62877BFC57D5A98F0E966C46F64FB23710C85CC2AA3BD2F4B0ABC134D18A501D7A01FFE881110FC57A8B5DDB07C89DCD4F3514
                                                                                            Malicious:false
                                                                                            Preview:MSFT................A...........................y................... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB...B..0C...C...C..\D...D..$E...E...E..PF...F...G..|G...G..DH...H...I..pI...I..8J...J...K..dK...K..,L...L...L..XM...M.. N...N...N..LO...O...P..xP...P..@Q...Q...R..lR...R..4S...S...S..`T...T..(U...U...U..TV...V...W...W...W..HX...X...Y..

                                                                                            C:\Users\user\AppData\Local\Microsoft\TeamsPresenceAddin\presence-addin-install-logs.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):932
                                                                                            Entropy (8bit):5.229740073481518
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:wLmML7YUfYeMRJNmfYeZ6fYeMkmfYeXlRJgDW9B32lyGXZU2kSFXgBfYeqTJh:DMPYQDeeDUD8DX/KWTmEADw5DqNh
                                                                                            MD5:11A4FF2FB8F00547158285E381C549FD
                                                                                            SHA1:C33B2FAFDAD591A75C889D044E527BC4BC9ECD34
                                                                                            SHA-256:FD5FBF29C9CFD7027D0BE710549461A29786764B5967DA32A2260C2F75F4FEC8
                                                                                            SHA-512:78F10D6778044210E46C62F4FFEA73DF9D2C6E037EF9B95B59EF278B725335332EB8AA701D8E60B0A4962644606BDD68A07A10700EA17A8A1048EA721D9EC2A7
                                                                                            Malicious:false
                                                                                            Preview:2024-09-30-10:03:50.779 am Installing Teams Presence addin for Outlook.....2024-09-30-10:19:17.998 am Copying C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\tlb\Uc.tlb to C:\Users\user\AppData\Local\Microsoft\TeamsPresenceAddin..2024-09-30-11:01:42.039 am Copying C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\tlb\Uc.win32.tlb to C:\Users\user\AppData\Local\Microsoft\TeamsPresenceAddin..2024-09-30-11:59:44.932 am check if UC TypeLib points to current\resources\assets\tlb\Uc.tlb..2024-09-30-03:03:36.155 pm UC Typelib WIN32 is registered under HKLM and file exists. Registration not needed!..2024-09-30-03:19:26.444 pm Registering UC Typelib WIN64 under HKCU.....2024-09-30-08:01:37.884 pm UC Typelib WIN64 successfully registered to C:\Users\user\AppData\Local\Microsoft\TeamsPresenceAddin\Uc.tlb under HKCU!..2024-09-30-08:14:19.876 pm IM Provider registry key already exists!..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\Update.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):2593968
                                                                                            Entropy (8bit):5.881550107079208
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:V6vewRhIuY40qnnNjJDxn0YzcenyIoZ3v:V6vewRhIuY40qnn1JlFceyIu
                                                                                            MD5:17927E3240D3B0212A4B93C1D45F92B0
                                                                                            SHA1:D86116C18A4A5D409D38F3FAB45F3DF83E289829
                                                                                            SHA-256:9A9F589DB0A8C6EF543AD6C85FAD3359C7CCCEF0D29EE76063F5B283A5ABB6F7
                                                                                            SHA-512:DE72B0838982B506056D47C889A91E6144779F40167B1B26C09DFED50244AA73C12FA4D3C8C8EDA23E8CCC2246560FA16B186062ADDF7F438CAB60F003D3EDB7
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\Teams\Update.exe, Author: Joe Security
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................j$...........$.. ........@.. ........................'......%(...@..................................$.K.....$.\.............'..v...`'...................................................... ............... ..H............text...$i$.. ...j$................. ..`.rsrc...\.....$......l$.............@..@.reloc.......`'.......'.............@..B..................$.....H...........................X.............................................{....*..{....*..{....*r.(......}......}......}....*....0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*..0..K....... .A. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.....................-.q.............-.&.+.......o.....%..{......................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\LICENSE

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):1096
                                                                                            Entropy (8bit):5.13006727705212
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
                                                                                            MD5:4D42118D35941E0F664DDDBD83F633C5
                                                                                            SHA1:2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
                                                                                            SHA-256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
                                                                                            SHA-512:3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
                                                                                            Malicious:false
                                                                                            Preview:Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):2593968
                                                                                            Entropy (8bit):5.881550107079208
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:V6vewRhIuY40qnnNjJDxn0YzcenyIoZ3v:V6vewRhIuY40qnn1JlFceyIu
                                                                                            MD5:17927E3240D3B0212A4B93C1D45F92B0
                                                                                            SHA1:D86116C18A4A5D409D38F3FAB45F3DF83E289829
                                                                                            SHA-256:9A9F589DB0A8C6EF543AD6C85FAD3359C7CCCEF0D29EE76063F5B283A5ABB6F7
                                                                                            SHA-512:DE72B0838982B506056D47C889A91E6144779F40167B1B26C09DFED50244AA73C12FA4D3C8C8EDA23E8CCC2246560FA16B186062ADDF7F438CAB60F003D3EDB7
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe, Author: Joe Security
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...u..e.................j$...........$.. ........@.. ........................'......%(...@..................................$.K.....$.\.............'..v...`'...................................................... ............... ..H............text...$i$.. ...j$................. ..`.rsrc...\.....$......l$.............@..@.reloc.......`'.......'.............@..B..................$.....H...........................X.............................................{....*..{....*..{....*r.(......}......}......}....*....0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*..0..K....... .A. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.....................-.q.............-.&.+.......o.....%..{......................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\SquirrelSetup.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe
                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):430
                                                                                            Entropy (8bit):5.423404659442963
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:zLVUB4hqiL1wkn232UEIg9IAth83turJvTgRfg9wRtmLxirJVTgRfOln:vV/ifi3k8rJvTU4ORtmLMrJ9U6
                                                                                            MD5:B1A7771F6134EF694F25E765F2BBE4C7
                                                                                            SHA1:88FBB623AC05D71AF0F02D1B7ABDC9CFD78A328E
                                                                                            SHA-256:3B0436CCDAA9187D8F6D40F3BA67D5131F5A94044B0B8A3384200ABD8ED9033F
                                                                                            SHA-512:CD342206C97C4D119974D61E7486FA08369F76E827E49C00E8C1E5C077F8D57067E0F5F21C07E1D6EA2D31536C8A2F45D2124E1D019CF5857C7AE30261A10BCE
                                                                                            Malicious:false
                                                                                            Preview:.2024-06-19 19:26:20> Program: Starting Squirrel Updater: --updateSelf=C:\Users\user\AppData\Local\SquirrelTemp\Update.exe..2024-06-19 19:26:20> RegistryService: TryGetRegKey: HKEY_CURRENT_USER\Software\Microsoft\Office\Teams does not exist..2024-06-19 19:26:20> RegistryService: RegKeyExists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Teams\ does not exist..2024-06-19 19:26:20> Program: About to wait for parent PID 7432..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):149481432
                                                                                            Entropy (8bit):6.716505014109555
                                                                                            Encrypted:false
                                                                                            SSDEEP:1572864:jNy4BYkhf+H5oEUVrF1hlT/7Ryo3KqRG6i6vajQxnXY:pfNFTlDajkno
                                                                                            MD5:E20A8E5630CFCAD496816E211D212EAC
                                                                                            SHA1:71869C3475D5EC0CBBB74757EB1B42CE15637E01
                                                                                            SHA-256:491486B1C1E9B93718F4D4ED8CD071D98622FD367B30B21836BD98DA60E8E0D0
                                                                                            SHA-512:AD58F56CA67BA99ADE6FA1F077258DFD69A91BAFE2ACFC719D8127F44910DDC5A7C13DA974E300A3166318F210E28DDEB3B7D29A339AD181067C025E7678AA3B
                                                                                            Malicious:false
                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......c..........".......A...................@..............................#.....=v....`.............................................rS......|....P......@..t);......M..........08.......................2..(.....A.8...........x........D.......................text...C.A.......A................. ..`.rdata....P...A...P...A.............@..@.data.....B......B..................@....pdata..t);..@...*;................@..@.00cfg..(....p......................@..@.gxfg....A.......B..................@..@.retplne.............6...................rodata..............8.............. ..`.tls....q............J..............@....voltbl.P............N..................CPADinfo8.... .......P..............@..._RDATA.......0.......R..............@..@malloc_h.....@.......T.............. ..`.rsrc.......P.......V..............@..@.reloc..............................@..B................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-console-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23624
                                                                                            Entropy (8bit):7.174444396160522
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:xzWRGWruVXC4deR9zVjjWPo5yEFHRN7N2R9zyvLMb:YaVXC4dC9zVj6PogElNK9zKMb
                                                                                            MD5:D0002AC3A0BC9087FA04E87447402942
                                                                                            SHA1:4C142D134613FCA50C5127EE27C91DB10832A813
                                                                                            SHA-256:07E54F054F6A6AC5E79F8EDED53A6CE99CDFCDDB0FB85A24B59872D9A8BF3C82
                                                                                            SHA-512:DB3FEAF9B1D2509645E4C8DC8681CD8B0BCC4510C4C677302636A0AE1F95B820EAC2C7542D478DB09963B6CFBB9AA644C51B3A37BA3CCB9201BBCCFAA562569B
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...Y.=i.........." .........................................................0.......x....`.........................................`...,............ ..................HN..............T............................................................................rdata..P...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-console-l1-2-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23624
                                                                                            Entropy (8bit):7.200940877329348
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:mzWRGW6z+egMR9zlN5nux5yEFHRN7vUM3SR9z+5u:j/eH9zl/cgElvUM3e9z5
                                                                                            MD5:E0618DD3DD3C294A87899D4E38D7BF99
                                                                                            SHA1:247207B2710462F355382AB08524B09D129CD439
                                                                                            SHA-256:E7D250C4C35AF25E052AA1C97193A3E7882CADA7933524CA17915408CD6BF151
                                                                                            SHA-512:01C4C6FBCB76E3B64F8BDA481338C0DFD36508F5DE1E4D96D757F169E4C96C2893FDFCCB139EA3038562585450EF65291F409E49328F7EA22E2DDA8160809606
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....y1..........." .........................................................0.......C....`.........................................`................ ..................HN..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-datetime-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23112
                                                                                            Entropy (8bit):7.181301188221551
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:tzWRGWfnOXk02IR9zgahqo3j5yEFHRN7Eg2R9zyvi7:UHrU9za0jgElJK9zL7
                                                                                            MD5:E7C549EA4C28379D8C45D4188812ADE7
                                                                                            SHA1:57231F3F156333AB268841E7D93916B791412BCF
                                                                                            SHA-256:C4D5D89F3C566E42F486177A2FDA28322DB3761D02AD229538FEDE837A41BE04
                                                                                            SHA-512:6CA29AADFAB61ABA84A9B9B4ED9C05F4ADB6141914A79780E62D2701D12F107F5C852533BBF57BB4B1A6FC6433ACC88C4601ABEE9F0900DEEF0E07945E1CB983
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....Ab.........." .........................................................0.......1....`.........................................`................ ..................HN..............T............................................................................rdata..4...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-debug-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23112
                                                                                            Entropy (8bit):7.196312063377219
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:5zWRGW6OJTHFDR9zW6YL5yEFHRN7v/7R9zkV+az:wXl9zWLgElvF9z69
                                                                                            MD5:45CC1DE492D880419183F68234972B3D
                                                                                            SHA1:C834C86A30177986F4399D93A64FE6E87B600394
                                                                                            SHA-256:68B3AB0CD1216C2780743C4526BA6226D497C7ACCFF491DAC34B5448820BB9BA
                                                                                            SHA-512:CB5DC254C089681A768F335ECDCA6994DBF73F8E09F8471EA4D284768007E0AB674FF73751276665445DCE6567FCEDDD3BEDA22E1D350FA9669C9B66F78BFFF9
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0.......g....`.........................................`................ ..................HN..............T............................................................................rdata..@...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-errorhandling-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23112
                                                                                            Entropy (8bit):7.217690630029872
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:/IfzWRGWbBMR9zlN5Xp5yEFHRN7Oe9R9zaOt6:/ICK9zlPpgElX9zLY
                                                                                            MD5:16AA0D76C3A1EC8DC08CB2932E93A507
                                                                                            SHA1:4ECFAA5F7ADD42958B5BAF6A6F28558217C94CE7
                                                                                            SHA-256:013ACB72481888667E15DADDBA4BDAA1827BD9508B9A748518B9F3685F030512
                                                                                            SHA-512:939B922EFEB2C4904D475E47E73D3D97438F3700B8699BE1B31D12E9806EF879823407D982511CDC5791748DB2AE56B0639DBD6895F1F142B2D0651B735152B4
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....:.[.........." .........................................................0......YE....`.........................................`................ ..................HN..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-file-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):26696
                                                                                            Entropy (8bit):7.116917589323945
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:pBPvVXOzWRGWC7cVXC4deR9zVjjWHf5yEFHRN7qu/7R9zkV+:3PvVXbZVXC4dC9zVj6/gElrF9z6
                                                                                            MD5:6F4F871C7B32CB14952B60D69D0C1C7B
                                                                                            SHA1:E4DFCBE03E5A74C00ED1069471D86083C9401B4A
                                                                                            SHA-256:3025C8819ADE6E9197CCEF3ABFD4A8539564563B48465856F1BD9E0E891E136C
                                                                                            SHA-512:9591BB97DC0D51D38FD41145CA3CF80E73FAF6D9F69CACD4DEDDA15AE9A0EE4A84906F4B0747586C0CB35D7E73673C0EFC20E9B5309DB854F6316F99F9B35546
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................@......Y.....`.........................................`................0..................HN..............T............................................................................rdata..(...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-file-l1-2-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23112
                                                                                            Entropy (8bit):7.196076949295106
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:+zWRGWkzcTR9zlPd5yEFHRN7RDcTR9zlxe:LdV9zzgElKV9zXe
                                                                                            MD5:E168C4523329CDE399EA790C0AAF889E
                                                                                            SHA1:8F3A99A8CA801E1607FE277CB26F519C7A1C953D
                                                                                            SHA-256:2C5681C8606339F086B9D06BFA9E4E3641603654119B14DF73F1B94D2D199A2A
                                                                                            SHA-512:7A625374AC3428858DB93E9D243B1774933AF8AB65E823238F5EFCD185D69DA6B16FA8F7142B8823DB71DF12E3F2B2634CE9AA4D560A79EF6D8E70C1E5323FBD
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`...L............ ..................HN..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-file-l2-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23136
                                                                                            Entropy (8bit):7.243164617722081
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:dVZzWRGWeCsB2IR9zg5LH/NEHRN7Tx2R9zyvM:dVQpU9z2FA9K9zn
                                                                                            MD5:A9636D3D07B9DD7606DCAB9A33AE298F
                                                                                            SHA1:0D1353387ECDC28E670275B231FF2AFB7AB6B155
                                                                                            SHA-256:749A4402AF617F11437969CB1FB4110CA599A402F9D5014C811EB69ABC750D6B
                                                                                            SHA-512:5AA9977179AD70A780860F8405C92CAF2BB0E65082274A5130ECE8CD76F3F4058DEE3C648C7DACE2EA0BE03B219FF86701C90A3D9A0E8A7D672FD95681C67B30
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ..................`N..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-handle-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23136
                                                                                            Entropy (8bit):7.202557142593507
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:LzWRGW6CsQFDR9zWC/NEHRN7KFDR9zWrloe:e5l9z3ACl9zc3
                                                                                            MD5:BEAB6AA3ED4B0B449AFE6E6BDEE822A1
                                                                                            SHA1:7FD06576C2DCE708C3D64C116BE0C6DF23FBA0CB
                                                                                            SHA-256:EC7A2ADBBA4E77BFCCF18CC472113FBFB7520003A9CB0D9BD6A821371D1C8737
                                                                                            SHA-512:B8C53DB5F5947A80BE1EF6879A3CEEFE1C6E799EDC6259C151657CFA73B2A59847DA24BA4BEE44DA6A65DA99C2144F10FED6423220F46DDE5B227C54E7B779EB
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...>G.j.........." .........................................................0......jJ....`.........................................`...`............ ..................`N..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-heap-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23624
                                                                                            Entropy (8bit):7.174957979171288
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:Ft6DllPzWRGWKyuSR9z+Ch5yEFHRN75N2R9zyvrJ:Jzue9zpgElLK9z2
                                                                                            MD5:0259978F8901D27001727E74B4B15CDA
                                                                                            SHA1:2B23D16D2D254DA485E45E186CC6BD568FC07132
                                                                                            SHA-256:59A5E80872D0CD75717D75B90DC882E1BECFFF4842A3141CFDE244D5CFE3EB39
                                                                                            SHA-512:98224C89561BCE0F8D2F221E005E33BAD73033304FDAF7150B4403D4D51EA2E1DCAC040A8FD437487DBD37AD1C2EFA2AC06193D2DB6BBF75813A8E02C3E8437D
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......W....`.........................................`................ ..................HN..............T............................................................................rdata..(...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-interlocked-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23112
                                                                                            Entropy (8bit):7.213048575122242
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:kzWRGWKmrRxB+R9zBaJC85yEFHRN7WcTR9zlHh:dbRxw9zEgEl7V9zn
                                                                                            MD5:1CC0818A4494B762D265B7B6774C5EF6
                                                                                            SHA1:84EE200552987D8221E6DB2934FD228EDE5B8410
                                                                                            SHA-256:9A558214911634F4FF6A936E631B14B7B87A6E922053B75899C61423D86C7731
                                                                                            SHA-512:B73DEABA5B311D6D48A639E2BFCE03DC7C056B1677948BDE9E9AE5C3A328F47333C6D545D1E17FD119104A1BA19A703C0BCE273F1721E0C5E2B5A782986285E0
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...*............." .........................................................0......._....`.........................................`................ ..................HN..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-libraryloader-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):24136
                                                                                            Entropy (8bit):7.16679417863342
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:AvuBL3BqzWRGWuRMR9zlN51lyD+5yEFHRN7DeRxB+R9zBa2T:TBL3B3d9zlvVgElDeRxw9zTT
                                                                                            MD5:E314DBEF15846336A20871FB4DEE6EA2
                                                                                            SHA1:79F0625164375B6F0169291CED8D140D6FEF72D8
                                                                                            SHA-256:6663264EF2F786A5120EDB8AFE0C0EAC487D5C21838259487B155376AC754F4F
                                                                                            SHA-512:D8F4807100638A7C95B8BFEC1069E033CCCAC6AD76B2C2815880FBC6398A3D395EDAB8A78852FC1FFE90617DEB70CA4A8425FCEFCE180BB6410F9D39F530D5A3
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0......l.....`.........................................`................ ..................HN..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-localization-l1-2-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):25696
                                                                                            Entropy (8bit):7.1828290910535175
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:cOMwBprwjGzue9/0jCRrndbwlMe9zUAxEpw9zd4:cOMwBprwjGzue9/0jCVdIMazUAxEp4zm
                                                                                            MD5:3240A43082BB601F3988279507D15620
                                                                                            SHA1:45706512FCFA913AF893052D3C3FAC93C46320BD
                                                                                            SHA-256:B18C6E612CF4696AC0D0BE04C41FDF26E5713C891B4C338D56ECE27E98040EDF
                                                                                            SHA-512:7BF7FDA9905D1310C23812696744270608F30DB9D91EE9F5B659FD3C46A0A27466F9CDC994485F8721FAEBE09E690B4EDDC05CF924C29BA7530398F9B00B404C
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0............`.........................................`................ ..................`N..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-memory-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23656
                                                                                            Entropy (8bit):7.189070009610263
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:RtzWRGWpCsLJEpcR9z0c/NEHRN7Cb9R9zaDxsK3:qhEpw9zPACT9zWxT
                                                                                            MD5:A88D991121B74CAFAE2F7C48BD15B061
                                                                                            SHA1:9DC684610D6EE43BA9D3325B6462A001BBD83C5F
                                                                                            SHA-256:1B534C9F99C9F2A8C36804FC7D740FD9E1366ECF6A22327FBA23D75F88E7A8AB
                                                                                            SHA-512:84E868857CC439E8F913D8B0CFD70395A55DA3B11EB79A0C6AA6039F65514DBB0EFA271CE5CCF41D936655B2D555FA8FDC82B1E328F02BA00442414CFF3CEF26
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...f092.........." .........................................................0......f.....`.........................................`...l............ ..................hN..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-namedpipe-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23112
                                                                                            Entropy (8bit):7.243599597259437
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:6zWRGWehISR9z+/p2Ic5yEFHRN7bSR9z+xghV:HkIe9zgp2dgElbe9zlD
                                                                                            MD5:FDC923E4384EBA7E6F3BCFC8DB5C8F35
                                                                                            SHA1:CCA3CA492F5974D37E3A02CE51A0E39D546923F6
                                                                                            SHA-256:AF64AB4E0F1FD2340E77E3E3010E55D6CDF4C436482816700EBED8CF4584AAD3
                                                                                            SHA-512:1689387E87248E8AA4855C75C6F6B24742F66912535A3D4C25DB646B6B8EBFF1D4818C326D056D7178A2E9268CBD0E977BEDA80821F79526ECD5546A5F68D90C
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....%..........." .........................................................0............`.........................................`................ ..................HN..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-processenvironment-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):24136
                                                                                            Entropy (8bit):7.172625162777062
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:WBzWRGWN1+b/7R9zkV+P5yEFHRN7dP9R9zaCNO:PSF9z6SgEldn9zNNO
                                                                                            MD5:829CAE9D55C806D43F167395CFC7D97A
                                                                                            SHA1:BBD4F0D128E701226F7A2FCAB1BA3FEF4A883E9E
                                                                                            SHA-256:9A377848E75E2B5929CC72E646F0B99624625F4AC047823BD013DB4CD221D6C3
                                                                                            SHA-512:EA34C336F46DE11F0447EF731869D68C0118153587CF399F49A54A83D9AE8C56AAEE2CA252A3F748901AF0BDEADEBF74531CB128662A5064F1FF7FA8FC90E1B0
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......[....`.........................................`...H............ ..................HN..............T............................................................................rdata..x...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-processthreads-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):25696
                                                                                            Entropy (8bit):7.110014308973341
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:yWXk1JzNcKSIKzWRGWZaCsbRxB+R9zBafFIPF/NEHRN79KKJ3EpcR9z0XsZm:ybcKSmiRxw9zoGABVEpw9zlZm
                                                                                            MD5:C8AAF6C93A1796A1B66CB2E89EBC8080
                                                                                            SHA1:EBD5BCDF0CECF0DAA3A74DDD696DF9A668A1A652
                                                                                            SHA-256:2A261D27DA75303EB318C4DE7D49770033B419A39E860B8CDAEDE3B17CA023DE
                                                                                            SHA-512:03B8EC6A7434F2C3632DD55AF3586226636040650EDC99BF3D8D55EAE31F6573E519D14F7946686AE940D63FADB720D738753372CFC5FC28BFACE94AB0C3724B
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...j............." .........................................................0............`.........................................`................ ..................`N..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-processthreads-l1-1-1.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23624
                                                                                            Entropy (8bit):7.210782793165712
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:+taDfIeAxzWRGWa7gpR9zLWVj5yEFHRN7CwSR9z+U:+DeAYKgD9zOgElCwe9z
                                                                                            MD5:45773616BCEB4B551AC0D8853E603AA8
                                                                                            SHA1:6012B20FC2443EDF0CCA0965F4738DA1B0048215
                                                                                            SHA-256:54997C8846B97C8333104CF36AB278E15613B157C2432DDECEB70A4C4FC68113
                                                                                            SHA-512:2E492E0064522E9689E747EE365EC6AADEF41BC10D36E64FEFDAC1D5829FA43AD84E95D3631473EADC8F97BAA57A390F748D5DD7C35229EDCCE3BC73DCEF5355
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0......}.....`.........................................`................ ..................HN..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-profile-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):22600
                                                                                            Entropy (8bit):7.264345997772862
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:cvIHyZBzWRGWU1FDR9zW+5yEFHRN7BGXEpcR9z0D:cvCyZo4l9z/gElBOEpw9zm
                                                                                            MD5:22294CD0DDCE5580A4A0395539D580F3
                                                                                            SHA1:B7EA32124CA8282B49A219CA32B932D1F99DE1BB
                                                                                            SHA-256:4CB90EF736EAF4AE7DC97E733EC957525F858C97F245AE6221BCEE4809336856
                                                                                            SHA-512:CDAD732069FBD1637D3AF51268AD064BD693F4A4518327A499CB22A5B0B5DAF87BF8574D52007D1D9EC9747C1B6A740EDBD48376F1D6CD521B04F04ABB4B4FF0
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....f............" .........................................................0...........`.........................................`................ ..................HN..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-rtlsupport-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23624
                                                                                            Entropy (8bit):7.182115756506717
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:8GeVyszWRGWPMQSR9z+655yEFHRN7SD9R9zac:8GeVA8Qe9zX5gElSb9zL
                                                                                            MD5:AAA8F5A2444C359767E0263396848AD6
                                                                                            SHA1:EE624F719EBEE50D01FAE9B009FBA5027A1971FA
                                                                                            SHA-256:B9F5DC527CC7B17D6BEB55DA6B1E9C05C87B4D66CC05BB7964A307B4A3F91C60
                                                                                            SHA-512:E37D4586DC56F2800CE7F8895D129262521AC909911008C26ECA2BBC30590B4C2558F3E515DF97895F05F73959A69993A214E934F7DF31FB52A393D2B9D5A3DD
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...._............" .........................................................0.......;....`.........................................`................ ..................HN..............T............................................................................rdata..<...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-string-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23136
                                                                                            Entropy (8bit):7.222493904509621
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:KyMvDzWRGW3Csx2IR9zgyyK3/NEHRN7p1/7R9zkV+tZM:KyMvmeU9zP1Ap1F9z6V
                                                                                            MD5:6AC73C478EE2796DEEE862D04DA5D1CC
                                                                                            SHA1:DC316BD0B6A76CD9D1CA107B97D1391A4BCDCEF2
                                                                                            SHA-256:3B6B1DC9B1362A3F65D336EB3D93DB86215BF1FC78B27C42FEA2D39E10D066B6
                                                                                            SHA-512:0B7F0AC1A19F91C5858EC9D0E3617C9721278D002F957744E110CE46EE43D1377AAA73CE17A7FD8CDAF3865BF6A1C0291DEF45153B833F9295166FF436B87CBA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....<.........." .........................................................0.......d....`.........................................`................ ..................`N..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-synch-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):25184
                                                                                            Entropy (8bit):7.14330146709302
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:cdv3V0dfpkXc0vVatzWRGWvWCsHFDR9zWJTtIZ/NEHRN7g2R9zyvN:cdv3VqpkXc0vVaU3Ul9zihIvAgK9zC
                                                                                            MD5:6410989141A05B2A96646E09BFE6AEC7
                                                                                            SHA1:D3E5F4D322F4E69C5A992D45C57ADE1B9B2FB2ED
                                                                                            SHA-256:074A64FAE175548CD0E6196D9BB2A9ABAF1B5DE53287C99FAEBCA85244DD2FF2
                                                                                            SHA-512:847822C88C995F01198DFED370A01A86B3576C77E6B8A371F013C9E8370DC8580D350F009D898D02F8B58361AD23FB32EDF51167D1C0BFBAC83BE24D08AFF6D0
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......c.........." .........................................................0.......@....`.........................................`...X............ ..................`N..............T............................................................................rdata..|...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-synch-l1-2-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23624
                                                                                            Entropy (8bit):7.227422005057757
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:3tZ3CzWRGWaSYSR9z+i14v5yEFHRN7lW2R9zyvF:7fYe9zIvgElgK9zC
                                                                                            MD5:476A1AB6916DA4756CC4C545218409A5
                                                                                            SHA1:213499186DCC2CC0F5A05C1B099B97B4CF65B82C
                                                                                            SHA-256:C6CBC8A7518496125067ACFA244574C44B59171230511FC2D532E064FC5724A8
                                                                                            SHA-512:C21DA7478BBD98AD52B1EAF55A6428B260438CEBA0814557F9D9645EBE8B5C005714F611CAF3A3C9E9678907B5F88E438DFD77B6AD7484FDE23B79A9BDB64D25
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0............`.........................................`...x............ ..................HN..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-sysinfo-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):24160
                                                                                            Entropy (8bit):7.1730231716832185
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:RcZzWRGWpCsrRxB+R9zBa0gn/NEHRN75/7R9zkV+n:RcQXRxw9zQA5F9z6K
                                                                                            MD5:3EA6993D1503E30B4D5EE8BE9BB40900
                                                                                            SHA1:FDF73717F51148D4E0722C4BCE906556818D68B6
                                                                                            SHA-256:7C3752E068F8A60BC18194E8CDF76912075FB4D49EED3C0995287DC627E1AB67
                                                                                            SHA-512:8D2B0C1F195F68E112B61D891B395963C6342E92FAD14EED49DA4A8B6F030875E8133051E2613AAD2F6279CF4A6494A4310F32F52E2E0D3395991405FC6FBD80
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r............" .........................................................0............`.........................................`...H............ ..................`N..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-timezone-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23624
                                                                                            Entropy (8bit):7.223686553227958
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:2fzWRGW1E/mSR9z+nb5yEFHRN7Zew69R9zaI:XHe9zwbgElZewq9zt
                                                                                            MD5:A9A350098F89B2C821338A37735828BC
                                                                                            SHA1:7F4113015729FD162513C86FFCF1C174C2758079
                                                                                            SHA-256:FEB96978B504844143E49BEE444AD5E2D22857C4FB4448C5B5E3D1415C349AE6
                                                                                            SHA-512:1DDE16A47384109193049204FE24AABEB982EAA29A57FB9ECF1F579421CDAE89CBD8B90CA7B38D02C9378EF84AB6578AF1DFCFEEA59374C0B4C2E5F06D7E75B6
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d....Y$..........." .........................................................0......M.....`.........................................`...H............ ..................HN..............T............................................................................rdata..l...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-core-util-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23112
                                                                                            Entropy (8bit):7.194468178804502
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:Ze8szWRGWVhYMR9zlN5fh5yEFHRN7Y42R9zyve4c:TN59zlXhgElY4K9zp4c
                                                                                            MD5:5530AFA8FACFC47DAB2D6ADC9DCEEBEF
                                                                                            SHA1:F953ADDD2CF227939D244B1E61C957B96C617165
                                                                                            SHA-256:723B5A58D407DDEAC55EBD11EE106295ADAB766B04F5B5E2E225FCFD60187299
                                                                                            SHA-512:15FC358D78D4675EE1833AA27E03CC15BF12D666E5D7FDD6272CB42F3E244F071B91788C80BA7C456961B8C013C397D227208D34550D1EFF7EDBFE95BC256832
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................" .........................................................0.......A....`.........................................`...<............ ..................HN..............T............................................................................rdata..\...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-conio-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):24136
                                                                                            Entropy (8bit):7.189200458077549
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:3PzWRGWY1O/7R9zkV+Zd5yEFHRN7Lg9R9zat4D5A:3yQoF9z6udgElU9zTVA
                                                                                            MD5:84DE981752F992C79751D67BDE13CCE2
                                                                                            SHA1:2729F7EFF940BD65811CDCB52FF03278D740EB93
                                                                                            SHA-256:6A8F0C174C2D96D93FE246EC33315CA30451C06296C10C05C9985955CAACE45C
                                                                                            SHA-512:A999D93720D3D4C7A5EE1372DD803A45B9C0D17D2EEA9380D1C1BF6AC3BB6011561FFAE06102FA9883EC26A3C9D9982D8CB46457201945EE43199D3AB3BB560A
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d..../}..........." .........................................................0............`.........................................0................ ..................HN..............T............................................................................rdata.. ...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-convert-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):27208
                                                                                            Entropy (8bit):7.042915943147228
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:l0wd8xyMzWRGW5JEpcR9z0g5yEFHRN7BbEpcR9z0HK:ljd8+nEpw9zfgElBbEpw9zQK
                                                                                            MD5:CDCCF0188A00E26482F6413886BDB9A4
                                                                                            SHA1:D08A49BDF83A0928BF5E792E054215C36060A7AF
                                                                                            SHA-256:C241719B3958C72A34ABFC7C4B6D151834712CEDE7CDC1A3E82EC3F1FDB3CBAF
                                                                                            SHA-512:F09189C2EBD84102FC9BEE54325C9BD0258F46070C4570F7256D59459B3132C2B5BEC7451BFFE563A9B7EBC12B635200F9E7B9FEAB322C7D22C22D0AADB9FAC6
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...x............." .........................................................@............`.........................................0................0..................HN..............T............................................................................rdata..............................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-environment-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23624
                                                                                            Entropy (8bit):7.1788281058286145
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:tKNXzWRGW4iKVXC4deR9zVjjWIh5yEFHRN72v5MR9zlN5HK:7wVXC4dC9zVj6IhgElT9zlPK
                                                                                            MD5:145FC41E1F3F859B82BA6C4F045D2C33
                                                                                            SHA1:F3578E05E1EF502F6D9B6C91F208C51319FF8918
                                                                                            SHA-256:FA53452212E8C3BD53E62A329EE21D7DBCB719AE2C9C3D365688A9579BFAF8D6
                                                                                            SHA-512:3519E738719B5B12EB9279AD568A75EE971456CBC4FE368D4BB0378346C3BAC8E68D79AD0116AA5ED0A2122E0EE511DF5B3401AD8B7E7977E873E5A7728EE982
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...g P..........." .........................................................0............`.........................................0..."............ ..................HN..............T............................................................................rdata..R...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-filesystem-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):25160
                                                                                            Entropy (8bit):7.1780123814666075
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:snWm5CkzWRGWAi2R9zyvNwPP5yEFHRN7P/7R9zkV+/fz:snWm5CdFK9znPPgElPF9z6c
                                                                                            MD5:40D910493F9A03E2996B60EB59E5C237
                                                                                            SHA1:7653F1B5609DF46B21099E066A5A1AB54A6A1B31
                                                                                            SHA-256:E533403320EAC2032F962A6986C39F588E6632E59943E407000F54D6F13FE103
                                                                                            SHA-512:D813CE129D2A0014AE02D2A0DFC8715D8285FCB2768B1CC7685FDDA7D4F0BECB8D3298B8E0078769E421AFA8AA75ABA669A1610028C8765B1E869D52917D85B6
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...r..x.........." .........................................................0...........`.........................................0................ ..................HN..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-heap-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):24136
                                                                                            Entropy (8bit):7.157691565210602
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:+adszWRGWZm2IR9zg+oh5yEFHRN7AY/7R9zkV++r:+adVnU9zmgElAYF9z6Pr
                                                                                            MD5:C7F414F860F9F3F1B1F3EC062B9C1FF4
                                                                                            SHA1:8C14CA36AE9FEBA453B9D267BAC6D198A09F333E
                                                                                            SHA-256:BEBB0AECB8FC665BA17185C24A764C7952515E82B70611A0E4E8D630C791B14F
                                                                                            SHA-512:C05F756DA3CC71AF0BDB4F6C28B72ADA03B334E3303C7EA48593C73F58736B2F06BD8BA32F72F1FF1481493C7E14C93A2609A05FC5DAA6A0EB4371BA6F174E42
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...h{............" .........................................................0.......O....`.........................................0................ ..................HN..............T............................................................................rdata..F...........................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-locale-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23624
                                                                                            Entropy (8bit):7.221408296814259
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:YzWRGWfWEXCVWQ4+W+j0N8RwX01k9z3Aj7/J1WV8yk/yEFHnhWgN7acWU6Z8RwXN:YzWRGW0+N9R9zaDN5yEFHRN789R9zaNM
                                                                                            MD5:266CDB104326C6A1FFEC94ECAF6A8CF4
                                                                                            SHA1:423530D7A43176787D6DE4401ECE72505EDB5E77
                                                                                            SHA-256:93ACAB0F7385797C56F2538AC7A97723F5A6EBE5FE1B363768D2B2D913D38435
                                                                                            SHA-512:151F39466C26FD0AB76B9E7163D796129FABF96FCA5208F32E182B842EFC6324C9AEBAC66BC4047020A89141ED0F468F445384DC4A3138B1D7A88BA55BE4CB01
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...+P............" .........................................................0......x.....`.........................................0...e............ ..................HN..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-math-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):32352
                                                                                            Entropy (8bit):6.857497263456227
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:xSJI2M4Oe59Ckb1hgmLozWRGWFCsx2R9zyvL/NEHRN72tMq/7R9zkV+2Jv0:xSi2Mq59Bb1jh5K9zYAKMqF9z61Js
                                                                                            MD5:8742222344EFA9BBD99EF36C879334B1
                                                                                            SHA1:7CFF41E1A1BB5DE16F060D02EE86586CA2B4778A
                                                                                            SHA-256:F396D8F04DAFCCAABF5D1C67D0FED4237627EA3F597C95F20394EA2C21761E50
                                                                                            SHA-512:C9FAF8E15EC9C9DB7A7009D5B811214A63F0636DF412C64846F34A903C27090A1307FF81994C4720FBE85125E785D9E2E4A9E3C5A9FE75877E186EDE715756B3
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...IV............" .........,...............................................P.......Q....`.........................................0....%...........@...............0..`N..............T............................................................................rdata...&.......(..................@..@.rsrc........@.......,..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-multibyte-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):31328
                                                                                            Entropy (8bit):6.872482833246212
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:ESrxLPmIHJI6/CpG3t2G3t4odXLozWRGWcCsn+TcTR9zlDz/NEHRN7AlFDR9zWLR:EiPmIHJI674V9zbAAXl9z2
                                                                                            MD5:2367215632A93CAC9CFCD3DAA893CB82
                                                                                            SHA1:7F7962F617E2CBCC2CEA9E666C5D9D61CF8689DC
                                                                                            SHA-256:915187CBBC8500400D52AC85FFE338A41D3989704CBFFD0F00B048E849D371E0
                                                                                            SHA-512:A882406C0863347B78D4E262E58D8E63D2CB2CABA43E8AFD93C3DB673DBD19273D6D7F4613B68ACDA960AEB71199861F802FB592C43EEE0563F1B0682CF6D83F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.../..N.........." .........(...............................................P......^z....`.........................................0.... ...........@...............,..`N..............T............................................................................rdata..$".......$..................@..@.rsrc........@.......(..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-private-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):75872
                                                                                            Entropy (8bit):6.01152316524474
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:be6De5c4bFe2JyhcvxXWpD7d3334BkZn+PEXnzXA6kEp4zS:be6De5c4bFe2JyhcvxXWpD7d3334BkZ9
                                                                                            MD5:2C6C33CE1FB9216CEFD347198EFD8D00
                                                                                            SHA1:7A1954B5CAE412BCC63B030136A6A7BC753F2403
                                                                                            SHA-256:3A99B386A1635744F8483FB6FA2B26C6B1CBC7123C8FA448BFB3A872C65ADD35
                                                                                            SHA-512:3F681E51C146F1A7EDE373950757C235EF5AB4EB331F9E60F6F0213EF26CE80A63ED8677D91848A0B0024EECC3F7E1FAE04B4A023CEAC24B3290506A87B544F3
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......F.........." ................................................................p;....`.........................................0...T...............................`N..............T............................................................................rdata..............................@..@.rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-process-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):24160
                                                                                            Entropy (8bit):7.177589302964185
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:Fn3zWRGWMCsORxB+R9zBaA//NEHRN7KR9zCjfBonP:0LRxw9zBAm9zwZoP
                                                                                            MD5:44B114E7B57D21CBBF11422C17AC002A
                                                                                            SHA1:74DEC251E08E4C35F795F526D5711C4CBD2B300E
                                                                                            SHA-256:AC64FE40F35C8D8AB16AC36DAB0DE60CFD6D3741B7CC174F35BDE0A560CF017E
                                                                                            SHA-512:EE89B7521AB2373271F9A88615803D6D11213BDFA6A046E1F14343C07DAD6A42FC20392505B459424C766313AF6DDAA6876FD9D4C2851F0B58BE706EAFB838E3
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...P..D.........." .........................................................0......h.....`.........................................0...x............ ..................`N..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-runtime-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):27720
                                                                                            Entropy (8bit):7.047725056203447
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:Plbr7SzWRGW1WjgAR9zCjnFK5yEFHRN72og2R9zyvVO:Plbr7PL89zwFKgElIK9zP
                                                                                            MD5:6ED27B3BCCE901E0622F4112AF1C8D7B
                                                                                            SHA1:3A21BE7B693E4D4D253CB26F7E8D33AEE99410FE
                                                                                            SHA-256:B0E4272D626C4483C2C0A9E443AE274DD4CAD5B68E027857A7EEAD108ADB6F9E
                                                                                            SHA-512:F2597B05D5418B74863B5B418C0B321A1D52C9DE0B6A70434AB78E4B94A1B25FF00143F277F614957099F46DA101166FC8E9DDC2296F342C3223C2367384DB26
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d...9..b.........." .........................................................@............`.........................................0...4............0..................HN..............T............................................................................rdata..d...........................@..@.rsrc........0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-stdio-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):29256
                                                                                            Entropy (8bit):7.000687723738414
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:s19OFVhmzWRGWtPfFDR9zW8v0eL5yEFHRN7HUR9zCjYmInO:o9Od1Fl9zLv0eLgElHY9zwYq
                                                                                            MD5:39131F1E1E994C2B2FCD7D78EF808B6F
                                                                                            SHA1:77A5380B8C66ADDCCEF316BB224DC78F3202CD61
                                                                                            SHA-256:64E7B4898594766AEFB83E59771A1EE777A77B99026896098DF380B627C5A48D
                                                                                            SHA-512:6EFCA0B69EABC300C0F23F580449CBE0C11BE0106F08156659FB56412B0E59F976A83A2CD6CF7F836913ACB89307A277C94D9A95D21B73C64C0F299967EDC6D9
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....v..........." ......... ...............................................@......)]....`.........................................0...a............0...............$..HN..............T............................................................................rdata..............................@..@.rsrc........0....... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-string-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):29768
                                                                                            Entropy (8bit):6.9375892183895935
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:K5yguNvZ5VQgx3SbwA71IkFcL9zl6WkgElXUe9zLiJ:K5yguNvZ5VQgx3SbwA71IbhzQxZXUaz8
                                                                                            MD5:742CC3B0AE272AA64DF3B012335653FA
                                                                                            SHA1:BAC2BBCED00CCD5902ADE25C048E618C28BACE92
                                                                                            SHA-256:BD551F907397969886EFEFE84C3534C5C39713FE79B5ACFFA944B138E821A92E
                                                                                            SHA-512:76F93A3E205C637E391CF1BD129EC5D000C5A5425411F4521A7BC3DA8C87967F4DEF8BE4E87A54CEE8AF358A5543F93DECB19E6430721FD339DE4F0A466493BA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d......e.........." ........."...............................................@...........`.........................................0................0...............&..HN..............T............................................................................rdata..............................@..@.rsrc........0......."..............@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-time-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):25696
                                                                                            Entropy (8bit):7.126651249340184
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:XUPzWRGWsCs80RxB+R9zBaxK/NEHRN7YFDR9zWR:kyX0Rxw9zZA8l9zG
                                                                                            MD5:7817933C5290B3F2EF42F5D545B58C03
                                                                                            SHA1:58E8EC6BCDC186D00D34A8DE115FC05503C31861
                                                                                            SHA-256:81757DF94C5077AA1A2748A5C38C62548E8542A558D754B67EF53EA2340E0AA7
                                                                                            SHA-512:16BA82FD33FE257DD97F888D95760DB3ACBCFD131AD6AD9159F7298FACC9F6DE95B74EAAFCC5B3CA8A4BB2A059039796CE90060DD21AD921302D738070392B01
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d................." .........................................................0.......,....`.........................................0................ ..................`N..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\api-ms-win-crt-utility-l1-1-0.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):23624
                                                                                            Entropy (8bit):7.210971806691212
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:AfwzWRGWe+FcTR9zlGlU5yEFHRN7wXy2IR9zgWuD6:AfZMV9zYWgElsU9z9
                                                                                            MD5:367F393D23E75A44E1D33DCD0D991E90
                                                                                            SHA1:699A15865C3686D8563CA90F8007BE430A740B3E
                                                                                            SHA-256:6A72D3B4825C0938F1BA79A1ED05A4BAB9A3B4453BCFD928B85D0893F5D47B9D
                                                                                            SHA-512:81E231DE41A28584D2E92B5B2ADD8CB4C4259700DFAE32348FFB538E36ADEAD2856427688C39D1FB92B8959D99B85FCA3EAECF16F00BB9C734D1F5A1CCF317C9
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........&...Ge..Ge..Ge../e..Ge../a..Ge../...Ge../g..Ge.Rich.Ge.........................PE..d.....t..........." .........................................................0......Fk....`.........................................0...^............ ..................HN..............T............................................................................rdata..............................@..@.rsrc........ ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\chrome_100_percent.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):128506
                                                                                            Entropy (8bit):7.919136270123796
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:ogKzwI/4wKN3/nXCWZQCPxBVO2o418Gb0+VRLf0ld0GY3cQ39x2I:ogKzwI/49NPyCtoK18Gb0OV8ld0GecQ1
                                                                                            MD5:0CF9DE69DCFD8227665E08C644B9499C
                                                                                            SHA1:A27941ACCE0101627304E06533BA24F13E650E43
                                                                                            SHA-256:D2C299095DBBD3A3CB2B4639E5B3BD389C691397FFD1A681E586F2CFE0E2AB88
                                                                                            SHA-512:BB5D340009CEF2BCB604EF38FDD7171FED0423C2DC6A01E590F8D15C4F6BC860606547550218DB41FBA554609E8395C9E3C3508DFA2D8B202E5059E7646BDCEF
                                                                                            Malicious:false
                                                                                            Preview:..............b...#.....:.7...4l^...5l$...6l....7l....8l....9lN...:l[...;l....<l....=l7...>l....?l."..@l.-..Fl[9..Gl.;..Jl@<..Kl.=..Rl.>..Sl.D..Tl0J..Ul_L..Vl.L...z.M...z.O...z.P...z.S...z.V...z.Y...z.]...z.a...z\e...{&i...{Yj...{.k...{?m...{2n...{.n...{wo...{.....{..................&.....#.....^.................G...........W...........".................D.....!......%.....(....%1.....5.....>.. ..H..&..M..'..N..(.{W..).._..*..`..+.Qb..,.2d..-.Xg../..h..1..k..2.8m..3..n..4..p..5..s..6..s..7.-u..8..v..:..z..;..{..=..~..>.J...@.....A.....F.....H.....I.....J.$...K.)...L....M....N.F...O....P.....Q.z...R.I...S.....T. ...U.....V.....W.~...X.@...Y.....Z....[.....\.X...^....._.....`.....a.w...b.A...c.....d.....e.....f.....g.....j...................U......... .J...!.t...".A...#.....$.....%.1...&.y...'.....(.....).....*.>...+.....,.A...-.......W.../.....0.p...2.....3.M...4.....5.'...6.y...7.....8.....9.....:.M...;.....<.....=.k...>.....?.&...@.....A.....B.Q...C.....D.)...E.y...F.....G.5...H...

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\chrome_200_percent.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):179027
                                                                                            Entropy (8bit):7.942382041600103
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:YDQYaEqQZUYUJP1N3/nXCWZQCPxBVrfR54x5GMR+F44ffbdZnYw9p4AbIVGYoDdR:YDQYaRyY1NPyCt9gx5GMRejnbdZnVE6j
                                                                                            MD5:D88936315A5BD83C1550E5B8093EB1E6
                                                                                            SHA1:6445D97CEB89635F6459BC2FB237324D66E6A4EE
                                                                                            SHA-256:F49ABD81E93A05C1E53C1201A5D3A12F2724F52B6971806C8306B512BF66AA25
                                                                                            SHA-512:75142F03DF6187FB75F887E4C8B9D5162902BA6AAC86351186C85E5F0A2D3825CA312A36CF9F4BD656CDFC23A20CD38D4580CA1B41560D23EBAA0D41E4CF1DD2
                                                                                            Malicious:false
                                                                                            Preview:..............b...#.....:.b...4l....5l....6l....7l....8l....9l....:l.%..;l.*..<l.-..=lQ5..>l.9..?l.A..@l8X..Fl.n..Gl.q..Jl.r..Kl.u..Rl.v..Sl6...Tl....Ul;...Vl.....z7....z"....zL....z@....zE....z.....z.....zw....z)....{.....{2....{....{.....{.....{.....{P....{.....{............d......%.....'.....*..../0....K;.....=....HE....+L.....Q.....W.....]....._....Td....=h.....q.....u....e}....V......... .F...&.....'.,...(.....).....*.`...+.....,.....-...../.....1.....2.....3.....4.....5.....6.....7.....8.....:.....;.....=.....>.....@.....A.....F.....H..+..I..,..J..0..K..5..L..7..M..9..N.R:..O..:..P.|<..Q..>..R.o?..S..A..T..B..U.DE..V..J..W..N..X..V..Y..^..Z.mb..[.&f..\..k..^..q.._..s..`..t..a.$u..b.Hv..c.iw..d.]x..e.1z..f..{..g..}..j.S.....M.................j... .....!.K...".$...#.z...$....%.8...&.....'.....(.....).....*.....+.....,.....-.3......../.d...0.....2.....3.....4.....5._...6.....7.z...8.;...9.....:.9...;....<.3...=.....>.S...?.....@.*...A.....B.....C.....D."...E.~...F....G.R...H...

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\concrt140.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):327264
                                                                                            Entropy (8bit):6.352604973329644
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:ft219yeaeO+1g29918EBf2wFrwtngwui28zinWVnWzgBoGgHH:1001en92EBfUx8zVH
                                                                                            MD5:0FC84D0EFF188B66D7B784855503108D
                                                                                            SHA1:0884F732919030BCD0A78864D114A40606E6506A
                                                                                            SHA-256:938FBD62D8D329B126351FB73DBD7FAC6044BAA0257FBCB43C2F9D3CA2CAE1EA
                                                                                            SHA-512:8D892E8FCB088046CB59A7363995F93396711246EA6DA3E8A47F68022EB774872A02729D1E7C803CB81A4AE4BCEBC0503B0B717FEEFD2065CA44A65DE9A987B8
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9.R_X.._X.._X...*..]X..V :.UX..?"..XX.._X...X..?"..WX..?"..[X..?"...X..?"..^X..?"V.^X..?"..^X..Rich_X..........................PE..d......n.........." ... ..................................................................`A.............................................M...+...................6......`N......x...p5..p...........................04..@............................................text...\........................... ..`.rdata...M.......N..................@..@.data....@...@...:..................@....pdata...6.......8...h..............@..@.rsrc...............................@..@.reloc..x...........................@..B................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\d3dcompiler_47.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):4902496
                                                                                            Entropy (8bit):6.40052955000265
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:9uhjwXkKcimPVqB4faGCMhGNYYpQVTxx6k/ftO4w6FXKpOD21pLeXvZCoFwI8ccQ:xy904wYbZCoOI85oyIn
                                                                                            MD5:DCB281D387E892965255F222C1A5E267
                                                                                            SHA1:D0D0950A76028E65C9A529F506FA4EBBC1F67F55
                                                                                            SHA-256:1BC4CF7AC7729736300F98541EBCA25AFD0D0D476A59FD16722A6673473B0178
                                                                                            SHA-512:EBA9AE1A469E045848E243A5FB9252F06B8C2278FB55E909BF9903E1EF9244854E3E9EF1C064442F1E9F255CF350935DA9F1751836109DB352C3AFD1DCAC35F4
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........c...c...c..Z....c...c../c....7..c.......c.......c..Z....c..Z...bc..Z....c..Z....c..Z...6c..Z.[..c..Z....c..Rich.c..................PE..d...-L............" ......8.........`.(...................................... K.......K...`A..........................................F.x.....F.P.....J.......H.......J.`N....J......vD.p.....................<.(...P.<.8.............<.(............................text.....8.......8................. ..`.rdata...=....8..@....8.............@..@.data...@.....F.......F.............@....pdata........H.......G.............@..@.rsrc.........J.......I.............@..@.reloc........J.......I.............@..B........................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\ffmpeg.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):2820264
                                                                                            Entropy (8bit):6.701611295786165
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:sv1NllrPx08Gs09WfHEiS6bynd0zskze/lvjz7K0YHVyTbQVhU5JkJUdj02bUMKS:ILlzlfHE9OzskzkY1yTbQVhU5JkJlVzy
                                                                                            MD5:BC891D2C13ED24F80559B082950C8148
                                                                                            SHA1:843F46599D19F1253A453C2CAC22185BB51C5A1A
                                                                                            SHA-256:439D6569EBBF5A109394B2BE05327295E6D86EEDB18640CC8D5BA9E8B9C27EAA
                                                                                            SHA-512:A72CC9247AF6773322D95D4729886F4BAC7648F83756105F651AB003920EE660D5D5694F06E80B375CA4383ED8A4874BE9EE0482AC8C82A949B74025491540D3
                                                                                            Malicious:false
                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......c.........." ..... "..j......p.........................................@......7+...`A..........................................(.......(.(.....@.t....`?.|.....*..v....@../...(.....................H.(.(....B".8.............(.P............................text....."...... "................. ..`.rdata...5...0"..6...$".............@..@.data........p).."...Z).............@....pdata..|....`?......|).............@..@.00cfg..(.....@......**.............@..@.gxfg...0*... @..,...,*.............@..@.retplne\....P@......X*..................tls.........`@......Z*.............@....voltbl.8....p@......\*................._RDATA........@......^*.............@..@.rsrc...t.....@......`*.............@..@.reloc.../....@..0...b*.............@..B........................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\icudtl.dat

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):10400608
                                                                                            Entropy (8bit):6.282481053515802
                                                                                            Encrypted:false
                                                                                            SSDEEP:196608:5GzwSv9AAQu1+liXUxCGZHa93Whlw6ZzFSEoI:53KlQusliXUxCGZHa93Whlw6ZzFSEoI
                                                                                            MD5:112B22CB7BEEC2B39DC0AD32FCE6E28C
                                                                                            SHA1:7F1E3D30E01A8A0C2EDD805F6A455FB2412772B4
                                                                                            SHA-256:973CE575C7E1E9822CAAEAB90687CA655C4AED36CDF9579D2A1D4AD12259DB25
                                                                                            SHA-512:6B2A9CF628FE8F41456E96D13540C3AB0BD3CB69E88634C05808293FA46CDE6CC637172AD3A36A1D2A31900DED7DCEE014E04E8D78B2F02655A4331668D1E85A
                                                                                            Malicious:false
                                                                                            Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html .?....A..0....B..p ...B...!..2B..`!..BB...!..UB..."..eB...J..xB.. K...B...K...B..P....B.......B.......B......B..P....B.......C..`....C......1C.. ...DC.....WC..0...jC..p...}C.. ....C.......C.......C.......C.......C..@....C.......D......D..@...(D.. ...;D......ND.....aD..P...tD.......D......D.......D.......D..P....D.......D......D..`....E......"E.....7E..0...OE......_E.....rE.. ....E..p....E.......E.. ....E..p....E.......E..@=...E...=...F...=...F..0>..*F...>..KF..p ..dF...U...F....&..F..0.&..F....&..F....&..F....&..F....'..G..@.'.$G....'.;G.. .'.ZG..@}(.wG...H)..G..P.)..G..`.*..G...n*..G....*..H...0+.+H...8+.IH...9+.bH..0<+.yH...=+..H..p.+..H..p.+..H..0.-..H.......H.......I......(I..0...;I......PI.. A..hI..pA..}I...A...I...B...I...m...I...m...I..0n...I...n...I...n...J..0o...J...o..*J...q..@J.....UJ.....jJ......J..P./..J..../..J..../..J..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\libEGL.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):501376
                                                                                            Entropy (8bit):6.465662564698077
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:AKEcTs/jvtGCIvT/BIy/71C6h7i6DPgwlXwuxkC8wmNj8hLeC8K:AKEcTs/jvtGCIb/BI/CLPzxk7wmNj09
                                                                                            MD5:7ADD324BE081FE150224B05DF7295549
                                                                                            SHA1:4FBCC70E850CF6D9D38ABED8BB9B0BD1930017EB
                                                                                            SHA-256:082919B8A7FA6765B8BEEF7A1F5B5318BC3A73AF49A608806B311D1021858F49
                                                                                            SHA-512:912F4D4E3B3015A6D66733A55B19A83B231DF636F6661DB4432AD722F8BDA34066FC896E2B027C347971145C82EE77319E3562D22CFC227878EB69101FF37CD4
                                                                                            Malicious:false
                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......c.........." ................P.....................................................`A........................................`.......*...(...............H?...0...v...... ...D...........................(...P!..8...........X................................text............................... ..`.rdata...z... ...|..................@..@.data....K....... ..................@....pdata..H?.......@..................@..@.00cfg..(....0......................@..@.gxfg....#...@...$..................@..@.retplne\....p...........................tls....!...........................@....voltbl.8..............................._RDATA..............................@..@.rsrc...............................@..@.reloc.. ............"..............@..B........................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\libGLESv2.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):7218864
                                                                                            Entropy (8bit):6.420865391039325
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:1gXDS35znNYjRDqf7QPJdN/74+nyLLM4csTGbPTMb55eg+FYXz2mKZOLKDtiOK1Z:nWWQPPNdVS3UYMi10vMugPVm8
                                                                                            MD5:72698B6D5DA719CA9A174FD6559F6E1D
                                                                                            SHA1:C7B4CD50E569A7260D529C4A815D59EAE38FB961
                                                                                            SHA-256:296F221E683EF4025E8C8897C248BA671408BC89087E43D0DE04A54C975F491E
                                                                                            SHA-512:1C44B471AA55DECD8F7C8C74EE361DD406B3E136C2D7E9B2B1EA67E3DC90C627BE51E8782FA4DEFF9144BA83FBE64CA939E878DE839DBEA88F68E504CAE35054
                                                                                            Malicious:false
                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......c.........." .....8S..p.......+H.......................................n.......n...`A..........................................d.......e.d.....m.p.....k.$.....m..v....m.....,gd......................ed.(....QS.8.............e.......d.@....................text....6S......8S................. ..`.rdata..l!...PS.."...<S.............@..@.data........f......^f.............@....pdata..$.....k......jj.............@..@.00cfg..(....0m.......l.............@..@.gxfg...P*...@m..,....l.............@..@.retplne\....pm.......l..................tls....1.....m.......l.............@....voltbl.F.....m.......l................._RDATA........m.......l.............@..@.rsrc...p.....m.......l.............@..@.reloc........m.......l.............@..B........................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\af.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):128116
                                                                                            Entropy (8bit):5.370735995351501
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:Q4R1VbSVwDwaPwT6HUrLOd+QeeSsL0J6tuBMWoXO3I9GLfXEAbZt1ScE:rR19SVwDwa3qLOds80KO3q
                                                                                            MD5:46F982CCD1B8A98DE5F4F9F1E8F19FE5
                                                                                            SHA1:13165653F2336037D4FB42A05A90251D2A4BC5CF
                                                                                            SHA-256:9E0AEB9D58FECC27D43E39C8C433C444B2CE773CC5D510FC676E0EBBCAB4BDDF
                                                                                            SHA-512:2C40E344194DF1CA2D2E88DBA0CB6C7EF308DD9C83E10BBC45286B5E3BC1D98A424A60EC28B2700606916105968984809321505765078D7CADDBB1C4D3F519DE
                                                                                            Malicious:false
                                                                                            Preview:........`.).j..H..k..I..l..I..n..I..o..I..p.*I..r.0I..s.AI..t.JI..v._I..w.lI..y.rI..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J.....J..../J....:J....MJ....OJ....SJ....ZJ....fJ....vJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K.....K....@K....QK..*.ZK..+.]K..,.{K../..K..0..K..1..K..2..K..3..K..4..K..5..L..6.RL..7.cL..>.xL..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].L...].L...].M...].M...].M...].M...].M...].M...].N...])N...].N...].O...].O...].O...^(O...^3O...^VO...^.O...^.P...^EP...^LP...^{P...^.P...^.P...^.P...^.P...^.P...^.P...^)Q...^9Q...^qQ...^.Q...^.Q...^.Q...^.Q..'^.Q..(^.Q..)^.Q..+^"R..,^AR..-^QR...^_R../^eR..0^}R..1^.R..2^.S..3^kS..4^.S..5^.S..6^.T..7^.T..:^(T..;^.T..<^ZU..=^iU..>^~U..@^.U..A^.V..B^wV..C^.V..D^.V..E^.V..F^.W..G^)X..H^.X..I^.X..K^.Y..M^.Y..N^$Y..O^,Y..P^:Y..Q^YY..V^.Y..W^.Y..X^.Z..Y^4Z..Z^GZ..[^lZ..\^.Z..]^.[..^^k[..c^.[..d^.[..e^.[..f^.[..g^.[..h^.[..i^.[..j^.[..k^.[..l^.[..m^.[

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\am.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):207215
                                                                                            Entropy (8bit):4.921481662991676
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:R66FO7S/E92t7Rq4rgEkDvuh7gb8oeyHXkiqiwGMqyZJjhEb2WAATMb0kew97MaH:fXgJ1mudHQP+x30jH8+D
                                                                                            MD5:15B05881E1927EDA0E41B86698CE12DA
                                                                                            SHA1:D629F23B8A11700B410D25F3DC439C8C353B0953
                                                                                            SHA-256:4C0129E1023E6E6CB5B71FADD59026D326FEC3393463530C2F30FFF8AACAAEDD
                                                                                            SHA-512:6F921563D6887D0B712966BF3F8DEA044D1115DD0A5D46EEEE5595966DD88E49D5DFBEC74EE1DE19A330BC9F1A11EF3C7C93D6C5E69F1EE7D1D86085B7A2BD7F
                                                                                            Malicious:false
                                                                                            Preview:........@.I.j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..I..t..I..v..I..w.,I..y.2I..z.AI..|.GI..}.YI....aI....fI....nI....vI....~I.....I.....I.....I.....I.....I.....I.....I.....I...."J....*J....IJ....KJ....OJ....[J....kJ.....J.....J.....J.....K....+K....2K....5K....6K....BK....KK....gK....mK....tK.....K.....K.....K.....K.....L..*.%L..+.(L..,.FL../.WL..0.qL..1..L..2..L..3..L..4.)M..5.eM..6..M..7..M..>.(N..?.2N..N.RN..g._N..i.bN..j.fN..k.kN..l.sN...]xN...].N...].N...].O...].O...].P...]AP...]jP...].P...].P...].R...].R...].R...].R...^.R...^.R...^.S...^qS...^JT...^.T...^.T...^.T...^.T...^7U...^@U...^YU...^.U...^.U...^.V...^.V...^}V...^.V...^.V...^.V...^.W..'^(W..(^?W..)^XW..+^.W..,^.X..-^.X...^<X../^NX..0^zX..1^.X..2^.Y..4^BZ..5^\Z..6^.Z..7^.Z..:^.Z..;^.[..<^.\..=^.\..>^.]..@^}]..A^;^..B^-_..C^D_..D^^_..E^._..F^.a..G^.b..H^.c..I^(d..K^^d..M^gd..N^.d..O^.d..P^.d..Q^.d..V^.e..W^.e..X^|f..Y^.f..Z^.f..[^.g..\^.g..]^.g..^^mh..c^.h..e^.h..f^.h..g^.h..h^.h..i^.i..j^Si..k^Ti..l^ji..m^mi..p^.i..q^.i

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\ar.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):212084
                                                                                            Entropy (8bit):4.998534880105499
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:fYFTGltHPcNRXqhmBdJcFxu3PzGF+hFGAaduzBfMCS2xHMuZtE9P6NsJ0NJOKK1E:fwGleNRx3PzNfPMgSENmW95I1LCA0
                                                                                            MD5:EFE9ECB3AB373B419A77A5FFED737900
                                                                                            SHA1:4B8BE68789DA5689CA0AC6306EBCB3CC497463E0
                                                                                            SHA-256:CC46883F75D337B5074435AD45AB6FDFB1F47875754779CD181D4BB29F91ACBB
                                                                                            SHA-512:442DAE71B9D002EFD91D4186B96AFCCCFF47C6E8F952EF5AA54D9A5A1846D6235312A4E0F04CBE13719EFC40EE9495EEE0E6D6C56276DE12B1D7FCC83DF219DF
                                                                                            Malicious:false
                                                                                            Preview:........9.P.j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..H..t..H..v..I..w..I..y.$I..z.3I..|.9I..}.KI....SI....XI....`I....hI....pI....wI....~I.....I.....I.....I.....I.....I....4J....>J....pJ....sJ....wJ.....J.....J.....J.....J.....J.....K....'K.....K....1K....;K....EK....SK....]K....dK....zK.....K.....K.....K.....K..*..L..+..L..,.)L../.@L..0.KL..1..L..2..L..3..L..4..L..5..M..6.nM..7..M..>..M..?..M..N..M..g..M..i..M..j..M..k..N..l..N...].N...]UN...].N...].O...].O...].O...].P...]#P...]sP...].P...].T...].T...].T...].T...^.T...^.T...^.U...^hU...^AV...^.V...^.V...^.V...^.V...^.W...^.W...^AW...^\W...^qW...^.W...^.W...^GX...^.X...^.X...^.X...^.X..'^.X..(^.X..)^.Y..+^wY..,^.Y..-^.Y../^.Y..0^.Z..1^5Z..2^.Z..3^.[..4^=\..5^[\..6^.\..7^.\..:^.\..;^.]..<^.^..=^.^..>^.^..@^.^..A^._..B^.a..C^Ja..D^oa..E^.a..F^.e..G^.g..H^2i..I^.i..K^.i..M^.i..N^.j..O^.j..P^+j..Q^.j..V^1k..W^tk..X^.k..Y^4l..Z^Rl..[^.l..\^Om..]^.m..^^Jn..c^.n..d^.n..e^.n..f^.n..g^.n..h^.n..i^.o..j^1o..k^2o..l^Ko..m^{o..p^.o..q^.p..r^>p

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\bg.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):231941
                                                                                            Entropy (8bit):4.718503600082365
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:ZRQoKRDBa4V175RTKa40IzN/frZzrmLy8APWx6y2Hw2ReusUVT:ZCoKRNa4V175RTKn0IzN/fILy8APWx6P
                                                                                            MD5:470DDE3136A8DA5752FCDE269D4B6B43
                                                                                            SHA1:85196012CC0DF090650244F7B55E51728C68806B
                                                                                            SHA-256:CD6701F8B682B6D677AE2010ABFB4BFD19555BB42847E2FFDDC54E203D50B373
                                                                                            SHA-512:B39397C8A3A081E61DD52EBBC0A4CC2AC33F9427C1EA9215995CD8915D705F30D2D3290742155890A61FC3819B6076C1AE41D278171517622AD35FC6F430702A
                                                                                            Malicious:false
                                                                                            Preview:........`.).j..H..k..I..l..I..n..I..o..I..p.*I..r.0I..s.AI..t.JI..v._I..w.lI..y.rI..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I....!J....CJ....\J....yJ.....J.....J.....J.....J.....J.....J.....J.....K....FK....uK.....K.....K.....K.....K.....K.....K.....K.....L.....L....=L....GL....SL.....L.....L..*..L..+..L..,..M../.lM..0.uM..1..M..2..M..3..N..4.ZN..5..N..6..O..7.*O..>.]O..?.lO..N..O..g..O..i..O..j..O..k..O..l..O...].O...].P...]GP...]dQ...]zQ...].Q...].Q...].R...]tR...].R...].T...]CT...]QT...]]T...^.T...^.T...^.T...^<U...^.V...^.V...^.V...^8W...^`W...^.W...^.W...^.W...^.X...^xX...^.X...^+Y...^\Y...^.Y...^.Y...^.Y..'^.Y..(^.Y..)^!Z..+^.Z..,^.Z..-^.[...^3[../^?[..0^z[..1^.[..2^.\..3^^]..4^ ^..5^P^..6^.^..7^.^..:^.^..;^._..<^.a..=^.a..>^?a..@^.a..A^.b..B^9c..C^Fc..D^]c..E^.c..F^Xe..G^.f..H^.f..I^?g..K^zg..M^.g..N^.g..O^.g..P^.g..Q^6h..V^.h..W^+i..X^.i..Y^ j..Z^Cj..[^.j..\^[k..]^.k..^^zl..c^.l..e^.l..f^.l..g^.m..h^3m..i^^m..j^.m..k^.m..l^.m..m^.m..p^.n..q^jn

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\bn.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):298415
                                                                                            Entropy (8bit):4.346199157910122
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:NCTKVimMPg4UlfO0frp9KJ3bVr98JMgE2fpwuDuI9KZ3IlzmhG1A+qSvuA3Szc:NQKfZlfOGy3bVW
                                                                                            MD5:45915ADB8375DED57D750A4583AC1F17
                                                                                            SHA1:35DB2151C0D9AD9D2F8AC756D184C8678CC9AD1C
                                                                                            SHA-256:4E6CA9109FF0EF9DAAAC531EC2D9B84EA7B79CFCFABE79A28F3CD59F4D416320
                                                                                            SHA-512:BF52B9231E215709C7D31168823936E2BB525D647252A4E8FEC885A7B5FA4E5A065A7BCA14A0DCD4342422D43F296E5A3385C6CECE570AF84C7F952C5D0ED5A9
                                                                                            Malicious:false
                                                                                            Preview:........D.E.j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..I..t..I..v.(I..w.5I..y.;I..z.JI..|.PI..}.bI....jI....oI....wI.....I.....I.....I.....I.....I.....I.....I.....I....8J....]J.....J.....J.....J.....J.....J.....J.....K....JK....cK.....K.....K.....K.....L.....L.....L...."L....5L....`L....lL.....L.....L.....L.....L....OM....}M..*..M..,..M../..M..0..M..1.cN..2..N..3..N..4..N..5.MO..6..O..7..P..>.dP..?.wP..N..P..g..P..i..P..j..P..k..P..l..P...].P...]*Q...]nQ...].S...]0S...].S...].S...].T...].T...].T...]nW...].W...].W...].W...^.X...^.X...^wX...^.X...^.Z...^SZ...^eZ...^.Z...^.Z...^.[...^#[...^e[...^.[...^.[...^1\...^z\...^.]...^.]...^.]...^.]...^.]..'^.^..(^8^..)^^^..+^._..,^]_..-^._...^._../^._..0^+`..1^.`..2^.a..3^.b..4^.c..5^.d..6^ud..7^.d..:^.d..;^Hf..<^Rh..=^ih..>^.h..@^.i..A^qj..B^.k..C^.k..D^.k..E^+l..F^.o..G^;q..H^.r..I^3s..K^.s..M^.s..N^.s..O^.s..P^.s..Q^\t..V^xu..W^.u..X^.v..Y^.v..Z^8w..[^`w..\^=x..]^.x..^^.y..c^.z..d^*z..e^Fz..f^Oz..g^Xz..h^.z..i^.z..j^4{..k^5{..l^a{..m^d{..p^.{

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\ca.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):143719
                                                                                            Entropy (8bit):5.392693955944506
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:Yr0tAaCcg4H65rKoMVhoVFBL8lmoT69Q1H7O/RjbNO5ufzwXi3Sk75CU/XlHPFtw:sZcgNoF0O5hXi3Sk75CU/XdFtXfnys6Z
                                                                                            MD5:B803C8B667CC2F8006CE307019ACA92F
                                                                                            SHA1:C8D98A7C3CC752176F5A58BA18FCA8FDB8E23810
                                                                                            SHA-256:6B19FE2F1DD35DB54C46FD8324E037D28D870EEFE6A8E46E608FE403ED78E50A
                                                                                            SHA-512:43B8101E56F1D08B48336A4C0F7C968BE7F4F65ECF9B7784AFA5920F3FECE501F5EC8DCF4469CBE36D4111EEEB837025F95E9B2C4D096AA43891852D82D2F0BF
                                                                                            Malicious:false
                                                                                            Preview:........c.&.j..H..k..I..l..I..n..I..o.#I..p.0I..r.6I..s.GI..t.PI..v.eI..w.rI..y.xI..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....7J....WJ....mJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K.....K....!K....*K....2K....7K....=K....OK....UK....]K.....K.....K..*..K..+..K..,..K../..K..0..L..1.:L..2.JL..3.ZL..4.yL..5..L..6..L..7..L..>..L..?..M..N..M..g."M..i.%M..j.)M..k..M..l.4M...]7M...]dM...].M...].N...]%N...]VN...]qN...].N...].N...].N...].O...].O...].O...].O...^.O...^.O...^.P...^@P...^.P...^.Q...^.Q...^<Q...^QQ...^wQ...^.Q...^.Q...^.Q...^.Q...^.Q...^.R...^NR...^|R...^.R...^.R...^.R..'^.R..(^.R..)^.R..+^#S..,^MS..-^bS...^wS../^zS..0^.S..1^.S..2^:T..3^.T..4^2U..5^OU..6^yU..7^.U..:^.U..;^;V..<^.W..=^.W..>^<W..@^pW..A^.W..B^VX..C^gX..D^sX..E^.X..F^.Y..G^4Z..H^.Z..I^.Z..K^-[..M^7[..N^J[..O^U[..P^i[..Q^.[..V^.[..W^.\..X^l\..Y^.\..Z^.\..[^.\..\^B]..]^.]..^^.]..c^.^..d^%^..e^-^..f^0^..g^3^..h^S^..i^q^..j^.^..k^.^..l^.^..m^.^

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\cs.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):146785
                                                                                            Entropy (8bit):5.805008241395064
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:7YpZ+KPzo3zO1J+17fbYR12ly9g+5X/F/0L8QGF1:M/+PzOvL2ly1F/O8QC
                                                                                            MD5:DF23ADDC3559428776232B1769BF505E
                                                                                            SHA1:04C45A59B1C7DCE4CFABBAC1982A0C701F93EED0
                                                                                            SHA-256:C06AC5459D735F7AC7ED352D9F100C17749FA2A277AF69C25E7AFE0B6954D3C0
                                                                                            SHA-512:FCECA397DFC8A3A696A1BA302214AB4C9BE910E0D94C5F8824B712EC08FF9491C994F0E6CFA9E8F5516D98C2C539FA141571640B490C8DD28B3A334B0449BDD8
                                                                                            Malicious:false
                                                                                            Preview:........R.7.j..H..k..H..l..H..n..H..o..I..p..I..r..I..s.%I..t..I..v.CI..w.PI..y.VI..z.eI..|.kI..}.}I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....'J....FJ....[J....]J....aJ....nJ....yJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K.....K....TK....qK..*.{K..+.~K..,..K../..K..0..K..1..K..2..L..3..L..4.7L..5.XL..6..L..7..L..>..L..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].L...]'M...]@M...].M...].M...].N...].N...]2N...]lN...]zN...]LP...]`P...]gP...]mP...^.P...^.P...^.P...^.P...^NQ...^nQ...^tQ...^.Q...^.Q...^.Q...^.Q...^.Q...^.R...^-R...^[R...^oR...^.R...^.R...^.R...^.R...^.S..'^.S..(^.S..)^'S..+^rS..,^.S..-^.S../^.S..0^.S..1^.S..2^ST..3^.T..4^#U..5^9U..6^gU..7^vU..:^.U..;^.V..<^.V..=^.V..>^.V..@^/W..A^.W..B^XX..C^jX..D^}X..E^.X..F^.Z..G^.[..H^X\..I^.\..K^.\..M^.\..N^.\..O^.\..P^.\..Q^.]..V^\]..W^z]..X^.]..Y^.^..Z^.^..[^L^..\^.^..]^.^..^^._..c^Y_..d^a_..e^i_..f^p_..g^s_..h^._..i^._..j^._..k^._..l^._..m^._..p^._

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\da.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):133749
                                                                                            Entropy (8bit):5.421723634331069
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:qYeFbj8CjaMRZ2zOnX+5MTkdRWwIGYZJx:qYeSNMRkzOnX+WWRWw2
                                                                                            MD5:875C8EAA5F2A5DA2D36783024BFF40C7
                                                                                            SHA1:D0CBA9CFBB669BBB8117EEE8ECCF654D37C3D099
                                                                                            SHA-256:6EE55E456D12246A4EA677C30BE952ADFB3AB57ACA428516E35056E41E7828B5
                                                                                            SHA-512:6E17692F6064DF4089096AA2726EB609422B077E0FEB01BAAA53C2938D3526256C28FB79EF112164727202CDD902AAE288E35CF894C5EF25FECD7A6EFA51A7E5
                                                                                            Malicious:false
                                                                                            Preview:........a.(.j..H..k..I..l..I..n..I..o..I..p.,I..r.2I..s.CI..t.LI..v.aI..w.nI..y.tI..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J.....J....2J....;J....TJ....VJ....ZJ....aJ....hJ....yJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J....,K....?K..*.IK..+.LK..,.jK../.zK..0..K..1..K..2..K..3..K..4..K..5..K..6.,L..7.=L..>.PL..?.YL..N.gL..g.rL..i.uL..j.yL..k.~L..l..L...].L...].L...].L...].M...].M...].M...].M...].M...].N...].N...]`O...]|O...].O...].O...^.O...^.O...^.O...^.O...^.P...^.P...^.P...^.P...^.P...^.Q...^.Q...^-Q...^<Q...^HQ...^.Q...^.Q...^.Q...^.R...^.R...^.R...^,R..'^/R..(^CR..)^KR..+^.R..,^.R..-^.R...^.R../^.R..0^.R..1^.S..2^oS..3^.S..4^;T..5^MT..6^oT..7^|T..:^.T..;^.U..<^.U..=^.U..>^.U..@^.U..A^LV..B^.V..C^.V..D^.V..E^.W..F^)X..G^.X..H^?Y..I^zY..K^.Y..M^.Y..N^.Y..O^.Y..P^.Y..Q^.Y..V^/Z..W^UZ..X^.Z..Y^.Z..Z^.Z..[^"[..\^u[..]^.[..^^.\..c^0\..e^8\..f^>\..g^A\..h^S\..i^i\..j^{\..k^|\..l^.\..m^.\..p^.\

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\de.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):143233
                                                                                            Entropy (8bit):5.481903939044728
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:eMTzAYItWj63Yp8tKgA2dN5N4hlOgxjT+:nnATtKuB4ygVS
                                                                                            MD5:5E7EA3AB0717B7FC84EF76915C3BFB21
                                                                                            SHA1:549CB0F459F47FC93B2E8C7EB423FD318C4A9982
                                                                                            SHA-256:6272ED3D0487149874C9400B6F377FEC3C5F0A7675BE19F8610A8A1ACB751403
                                                                                            SHA-512:976FB09B4A82665FBF439FA55B67E59AEAA993344DF3F0D1926A82FB64D295BBE6FD77BB65E9F2267D98408E01166DD0C55C8EC7263ED74B3855F65DFFC026ED
                                                                                            Malicious:false
                                                                                            Preview:..........[.j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..H..t..H..v..H..w..I..y..I..z..I..|.#I..}.5I....=I....BI....JI....RI....ZI....aI....hI....oI....pI....qI.....I.....I.....I.....I.....I.....I.....J.....J.....J....!J....6J....LJ....`J....yJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J....*K....@K..*.IK..+.LK..,.jK../.{K..0..K..1..K..2..K..3..K..4..K..5..L..6.NL..7.bL..>.vL..?.~L..N..L..g..L..i..L..j..L..k..L..l..L...].L...].L...].M...].M...].M...].M...].N...]#N...]aN...]xN...]qO...].O...].O...].O...^.O...^.O...^.O...^.P...^.P...^.P...^.P...^.Q...^.Q...^3Q...^9Q...^OQ...^jQ...^~Q...^.Q...^.Q...^.R...^BR...^PR...^^R...^nR..'^wR..(^.R..)^.R..+^.R..,^.S..-^.S...^'S../^-S..0^PS..1^.S..2^.S..3^.T..4^7U..5^NU..6^xU..7^.U..:^.U..;^6V..<^.W..=^.W..>^/W..@^WW..A^.W..B^=X..C^DX..D^OX..E^pX..F^.Y..G^.Z..H^.Z..I^.Z..K^.[..M^.[..N^#[..O^,[..P^;[..Q^n[..V^.[..W^.[..X^c\..Y^w\..Z^.\..[^.\..\^.]..]^i]..^^.]..c^.]..e^.]..f^.^..g^.^..h^.^..i^:^..j^S^..k^T^..l^g^..m^j^..p^.^

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\el.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):255315
                                                                                            Entropy (8bit):4.798432799453044
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:ALKSCi5b9F/kDuKxYxbt5I6ROl3+pSb3//zFMeF+fx2hlA66rOw5YlXSWzG:VSCi5b9F/kDuKxYxbt5I6ROl3+pSb3/k
                                                                                            MD5:7DCA85C1719F09EC9B823D3DD33F855E
                                                                                            SHA1:4812CB8D5D5081FCC79DBDE686964D364BC1627E
                                                                                            SHA-256:82B3FBBDC73F76EAEA8595F8587651E12A5F5F73F27BADBC7283AF9B7072818C
                                                                                            SHA-512:8CB43C80654120C59DA83EFB5B939F762DF4D55F4E33A407D1BE08E885F3A19527ED0078AB512077604EB73C9C744C86EC1A3373B95D7598BF3835AD9F929D67
                                                                                            Malicious:false
                                                                                            Preview:........Z./.j..H..k..H..l..I..n..I..o..I..p..I..r.$I..s.5I..t.>I..v.SI..w.`I..y.fI..z.uI..|.{I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I....*J....QJ....vJ.....J.....J.....J.....J.....J.....K.... K....CK....fK.....K.....K.....K.....K.....K.....K.....L....$L....6L....FL....YL....qL....yL.....L.....M....AM..*.VM..+.YM..,.wM../..M..0..M..1.dN..2..N..3..N..4..N..5.2O..6..O..7..O..>..P..?.!P..N.BP..g.VP..i.YP..j.]P..k.bP..l.lP...]qP...].P...].Q...]7R...]MR...].R...].R...].R...]dS...].S...]*U...]dU...]tU...]zU...^.U...^.U...^.U...^<V...^.W...^.W...^.W...^[X...^.X...^.X...^.X...^.X...^4Y...^HY...^.Y...^.Y...^.Z...^.Z...^.Z...^.Z...^.[..'^,[..(^N[..)^o[..+^.\..,^U\..-^{\...^.\../^.\..0^.\..1^m]..2^`^..3^,_..4^$`..5^J`..6^.`..7^.`..:^.a..;^.b..<^.c..=^.c..>^.c..@^;d..A^6e..B^.e..C^.e..D^ f..E^ef..F^Zh..G^7i..H^<j..I^.j..K^.j..M^.k..N^&k..O^7k..P^Vk..Q^.k..V^ l..W^.l..X^jm..Y^.m..Z^.m..[^\n..\^ o..]^.o..^^.p..c^.p..d^.p..e^.q..f^.q..g^.q..h^:q..i^iq..j^.q..k^.q..l^.q..m^.q

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\en-GB.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):117954
                                                                                            Entropy (8bit):5.460279502296883
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:O9ch9d5mCOmjQK6rFfBNgizJdLIeqij3ggl+1j:kchT5mCer5Vc
                                                                                            MD5:DB946E28E8CD67FC45A317A2D22943D3
                                                                                            SHA1:0E096F66915F75D06F2EC20EAE20F78AD6B235E7
                                                                                            SHA-256:7EB6AF7620593BDD33CF4A6238E03AFBF179097173CBFFFDADA5B3E25B8F0BBE
                                                                                            SHA-512:B893650000F463C1F3807F1FEAE3E51664E42EC10C1A5AF7C08970163D5188F1F9FFCC5E82FE2209C78D8B4FC2FEBA050ABEC4C44D1EB122CD42FCC14A8B1C3F
                                                                                            Malicious:false
                                                                                            Preview:........m...j..I..k..I..l.*I..n.2I..o.7I..p.DI..r.JI..s.[I..t.dI..v.yI..w..I..y..I..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J....$J....3J....CJ....MJ....^J....`J....dJ....hJ....oJ....yJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K....-K....?K..*.GK..+.JK..,.hK../.yK..0..K..1..K..2..K..3..K..4..K..5..K..6.'L..7.7L..>.LL..?.TL..N.cL..g.lL..i.oL..j.sL..k.xL..l..L...].L...].L...].L...].M...].M...]9M...]GM...]VM...].M...].M...]?N...]QN...]VN...]\N...^eN...^mN...^.N...^.N...^.N...^.O...^.O...^4O...^<O...^RO...^ZO...^mO...^.O...^.O...^.O...^.O...^.P...^?P...^LP...^VP...^eP..'^iP..(^sP..)^|P..+^.P..,^.P..-^.P...^.P../^.P..0^.Q..1^/Q..2^.Q..3^.Q..4^4R..5^CR..6^hR..7^tR..:^.R..;^.S..<^.S..=^.S..>^.S..@^.S..A^ZT..B^.T..C^.T..D^.T..E^.T..F^.U..G^VV..H^.V..I^.V..K^.W..M^.W..N^'W..O^.W..P^9W..Q^UW..V^.W..W^.W..X^.X..Y^.X..Z^/X..[^SX..\^.X..]^.X..^^.Y..c^RY..d^YY..e^_Y..f^dY..g^hY..h^zY..i^.Y..j^.Y..k^.Y..l^.Y..m^.Y

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\en-US.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):118513
                                                                                            Entropy (8bit):5.4633121954676085
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:M/WTHfDS2harrWBNgmHJztK3IF3ggl+Scwh:M/WTHmrRYQwh
                                                                                            MD5:F982582F05EA5ADF95D9258AA99C2AA5
                                                                                            SHA1:2F3168B09D812C6B9B6DEFC54390B7A833009ABF
                                                                                            SHA-256:4221CF9BAE4EBEA0EDC1B0872C24EC708492D4FE13F051D1F806A77FE84CA94D
                                                                                            SHA-512:75636F4D6AA1BCF0A573A061A55077106FBDE059E293D095557CDDFE73522AA5F55FE55A48158BF2CFC74E9EDB74CAE776369A8AC9123DC6F1F6AFA805D0CC78
                                                                                            Malicious:false
                                                                                            Preview:........{...j.,I..k.;I..l.FI..n.NI..o.SI..p.`I..r.fI..s.wI..t..I..v..I..w..I..y..I..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....J.....J.....J.....J....3J....@J....OJ...._J....iJ....zJ....|J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K.....K.....K....!K....IK....[K..*.cK..+.fK..,..K../..K..0..K..1..K..2..K..3..K..4..K..5..L..6.BL..7.RL..>.gL..?.oL..N.~L..g..L..i..L..j..L..k..L..l..L...].L...].L...].L...]1M...]6M...]TM...]bM...]qM...].M...].M...]jN...]|N...].N...].N...^.N...^.N...^.N...^.N...^%O...^?O...^EO...^_O...^gO...^}O...^.O...^.O...^.O...^.O...^.O...^.P...^GP...^jP...^wP...^.P...^.P..'^.P..(^.P..)^.P..+^.P..,^.Q..-^.Q...^ Q../^$Q..0^3Q..1^UQ..2^.Q..3^.Q..4^VR..5^eR..6^.R..7^.R..:^.R..;^,S..<^.S..=^.S..>^.S..@^.T..A^zT..B^.T..C^.T..D^.U..E^.U..F^.V..G^.V..H^.W..I^HW..K^kW..M^qW..N^{W..O^.W..P^.W..Q^.W..V^.W..W^.X..X^_X..Y^sX..Z^.X..[^.X..\^.Y..]^DY..^^.Y..c^.Y..d^.Y..e^.Y..f^.Y..g^.Y..h^.Y..i^.Y..j^.Y..k^.Y..l^.Z..m^.Z

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\es-419.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):142662
                                                                                            Entropy (8bit):5.356368782252411
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:U7S7uRmoLU3vL5jRbQZrphXu6KZydaXGQa7K4OdMBPcHYKCOKfKRHe0JWFsMH5Bi:UioL4FlklhXuapOvMowA
                                                                                            MD5:D25865C02378B768EF5072ECCD8B3BF0
                                                                                            SHA1:548DBE6E90ECE914D4B79C88B26285EFC97ED70C
                                                                                            SHA-256:E49A13BEE7544583D88301349821D21AF779EC2EBFCA39EE6A129897B20DBBD0
                                                                                            SHA-512:817A5ED547EF5CCA026B1140870754CE25064FCA0A9936B4AC58D3B1E654BB49B3FFA8186750B01640AC7D308BF7DE2EADC0F34B7DF3879C112E517D2FAABC94
                                                                                            Malicious:false
                                                                                            Preview:........b.'.j..H..k..I..l..I..n..I..o.!I..p..I..r.4I..s.EI..t.NI..v.cI..w.pI..y.vI..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.... J....5J....=J....TJ....VJ....ZJ....bJ....pJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K....!K....)K....bK.....K..*..K..+..K..,..K../..K..0..K..1..L..2.)L..3.8L..4.VL..5.yL..6..L..7..L..>..L..?..L..N..M..g..M..i..M..j..M..k.!M..l.)M...].M...][M...].M...]2N...]:N...]^N...]pN...].N...].N...].N...].O...].O...].O...].O...^.O...^.O...^.P...^?P...^.P...^.Q...^.Q...^=Q...^MQ...^uQ...^~Q...^.Q...^.Q...^.Q...^.Q...^.R...^BR...^xR...^.R...^.R...^.R..'^.R..(^.R..)^.R..+^0S..,^dS..-^tS...^.S../^.S..0^.S..1^.S..2^AT..3^.T..4^OU..5^oU..6^.U..7^.U..:^.U..;^[V..<^%W..=^<W..>^QW..@^.W..A^.X..B^uX..C^}X..D^.X..E^.X..F^.Y..G^.Z..H^.Z..I^.Z..K^.[..M^.[..N^%[..O^0[..P^>[..Q^d[..V^.[..W^.[..X^F\..Y^f\..Z^y\..[^.\..\^.]..]^f]..^^.]..c^.]..d^.]..e^.]..f^.]..g^.^..h^.^..i^0^..j^C^..k^D^..l^V^..m^Y^

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\es.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):143886
                                                                                            Entropy (8bit):5.324878998979869
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:2vDALu5r6amp1i1Qw57tROefc70wix6PZ41Y:2becea2iT7/OefcIwo6PZ0Y
                                                                                            MD5:B1C6B6B7A04C5FB7747C962E3886B560
                                                                                            SHA1:70553B72B9C382C0B25FA10FE2C967EFBCFCB125
                                                                                            SHA-256:E4DB8F397CD85FC5575670B3CACFC0C69E4BF07EF54A210E7AE852D2916F1736
                                                                                            SHA-512:7FCD9AE80791DE19DF8644424FFDF1FEB299F18A38A5D5BC546E8FD3D20D3CED6F565981C3C03026BC5400FE0806DFA3AF3064E7A70E18061F5D5FE6D6BDE8D5
                                                                                            Malicious:false
                                                                                            Preview:........a.(.j..H..k..I..l..I..n..I..o..I..p.,I..r.2I..s.CI..t.LI..v.aI..w.nI..y.tI..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....)J....>J....FJ....^J....`J....dJ....lJ....zJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K....%K....+K....3K....gK.....K..*..K..+..K..,..K../..K..0..K..1..L..2..L..3..L..4.LL..5.kL..6..L..7..L..>..L..?..L..N..L..g..M..i..M..j..M..k..M..l. M...]&M...]PM...]mM...].N...].N...]<N...]NN...]aN...].N...].N...]pO...].O...].O...].O...^.O...^.O...^.O...^.P...^.P...^.P...^.P...^.Q...^(Q...^QQ...^ZQ...^lQ...^.Q...^.Q...^.Q...^.Q...^7R...^hR...^zR...^.R...^.R..'^.R..(^.R..)^.R..+^.S..,^RS..-^bS...^tS../^yS..0^.S..1^.S..2^<T..3^.T..4^+U..5^KU..6^vU..7^.U..:^.U..;^*V..<^.V..=^.V..>^.W..@^=W..A^.W..B^.X..C^.X..D^+X..E^PX..F^KY..G^.Y..H^?Z..I^.Z..K^.Z..M^.Z..N^.Z..O^.Z..P^.Z..Q^.[..V^n[..W^.[..X^.\..Y^4\..Z^G\..[^.\..\^.]..]^Z]..^^.]..c^.]..d^.]..e^.^..f^.^..g^.^..h^.^..i^8^..j^N^..k^O^..l^a^..m^d^

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\et.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):129625
                                                                                            Entropy (8bit):5.446374075045337
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:9orT9oP+VdcW9DymW643Rryh1oyg9jiuKMPiuLECxZQZwsPQ0ju:9g+G7cW4mW643Jxj3rxL5ZuPQ0q
                                                                                            MD5:339133A26A28AE136171145BA38D9075
                                                                                            SHA1:60C40C6C52EFFB96A3EB85D30FADC4E0A65518A6
                                                                                            SHA-256:F2F66A74B2606565365319511D3C40B6ACCDDE43A0AF976F8B6AC12E2D92EC9F
                                                                                            SHA-512:D7DD2A1C51A7144F1FE25336460D62622C2503AA64658063EDCB95F50D97D65D538CE4E8AE986AF25F6F7882F6F6578BFB367C201E22DA2ABDD149C0BB4194C1
                                                                                            Malicious:false
                                                                                            Preview:........l...j..I..k..I..l.(I..n.0I..o.5I..p.BI..r.HI..s.YI..t.bI..v.wI..w..I..y..I..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J..../J....AJ....VJ....lJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K.....K...."K....-K....3K....9K....bK....{K..*..K..+..K..,..K../..K..0..K..1..K..2..L..3..L..4.%L..5.EL..6.}L..7..L..>..L..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].L...].M...].M...].M...].M...].N...].N...]3N...]sN...].N...]RO...]gO...]nO...]zO...^.O...^.O...^.O...^.O...^VP...^.P...^.P...^.P...^.P...^.P...^.P...^.P...^.Q...^+Q...^ZQ...^pQ...^.Q...^.Q...^.Q...^.Q...^.Q..'^.R..(^.R..)^%R..+^tR..,^.R..-^.R...^.R../^.R..0^.R..1^.R..2^ZS..3^.S..4^2T..5^DT..6^gT..7^uT..:^.T..;^.U..<^.U..=^.U..>^.U..@^.V..A^|V..B^.V..C^.V..D^.W..E^,W..F^$X..G^.X..H^.Y..I^8Y..K^RY..M^ZY..N^fY..O^mY..P^.Y..Q^.Y..V^.Y..W^.Z..X^iZ..Y^.Z..Z^.Z..[^.Z..\^'[..]^k[..^^.[..c^.[..e^.[..f^.[..g^.[..h^.[..i^.\..j^.\..k^.\..l^/\..m^2\..p^P\

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\fa.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):203938
                                                                                            Entropy (8bit):5.104565847658903
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:CiQBXt4Ra3a8oQ6NS9/W2ESEm/ovV2XhmN4o6XBmhdBfOpfVKb8YIO/ECuFgjD8i:C7BXt4Ra3a8oQ6NS9/W2ESEm/ovV2Xha
                                                                                            MD5:A67BFD62DCF0AB4EDD5DF98A5BB26A72
                                                                                            SHA1:5DEF04429A9D7B3A2D6CAC61829F803A8AA9EF3B
                                                                                            SHA-256:890CA9DA16EFC1EFCC97EE406F9EFA6A8D288F19A2192F89204BDC467E2868D3
                                                                                            SHA-512:3419C6BED5FC96E82F9B1F688609B2D2190003B527D95699E071576C25730934FBED3437FDDE870FC836BDC5E690362CAE1E612B7FF779C22B853BAF3CFCAABF
                                                                                            Malicious:false
                                                                                            Preview:........(.a.j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..H..t..H..v..H..w..H..y..I..z..I..|..I..}.)I....1I....6I....>I....FI....NI....UI....\I....cI....eI.....I.....I.....I.....J.....J....>J....AJ....IJ....OJ....bJ....yJ.....J.....J.....J.....J.....J.....J.....K....!K..../K....7K....>K....RK....^K....qK.....K.....K..*..L..+..L..,.&L../.JL..0.XL..1..L..2..L..3..L..4..L..5.#M..6..M..7..M..>..M..?..M..N..N..g.%N..i.(N..j.,N..k.1N..l.;N...]EN...].N...].N...].O...].O...].P...]2P...]bP...].P...].P...].R...].R...].R...].R...^.S...^$S...^wS...^.S...^.T...^.T...^.T...^HU...^]U...^.U...^.U...^.U...^.U...^.V...^mV...^.V...^ W...^OW...^hW...^yW...^.W..'^.W..(^.W..)^.W..+^DX..,^xX..-^.X...^.X../^.X..0^.X..1^GY..2^3Z..3^.[..4^.[..5^.[..6^A\..7^R\..:^y\..;^d]..<^.^..=^.^..>^.^..@^C_..A^.`..B^.`..C^.`..D^.a..E^Ba..F^.c..G^.d..H^.e..I^.e..M^8f..N^Tf..O^bf..P^yf..Q^.f..V^Dg..W^.g..X^*h..Y^Sh..Z^zh..[^.h..\^Di..]^.i..^^:j..c^wj..e^.j..f^.j..g^.j..h^.j..i^.j..j^.j..k^.j..l^.k..m^.k..p^>k..q^}k..r^.k..s^:l

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\fi.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):132519
                                                                                            Entropy (8bit):5.409933983192656
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:KTDM6BJkRQxRcMfOAZZTUqyUEvU2yjZEE218vWURl/HR2j8bR+UhSjNM1OACX1hl:6ngj+2lE218vWURxcj5NnX1hwef
                                                                                            MD5:ACEED6757E21991632B063A7FE99C63C
                                                                                            SHA1:491B4AA5EAEB93E662F720C721736E892B9117E5
                                                                                            SHA-256:370164E61142D8609D176EC0CC650540C526156009070563F456BCDB104E9C0F
                                                                                            SHA-512:664C369E74930A61A8C9CCEE37321C6610FFDEBA8E4E8A5D4F9444D530097B0F4556E7B369DFD55323FE7DF70B517C84AE9D62A89C1984A8CF56BAE92D3E0455
                                                                                            Malicious:false
                                                                                            Preview:........R.7.j..H..k..H..l..H..n..H..o..I..p..I..r..I..s.%I..t..I..v.CI..w.PI..y.VI..z.eI..|.kI..}.}I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....)J....BJ....DJ....HJ....MJ....\J....hJ....zJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J...."K....3K..*.;K..+.>K..,.\K../.~K..0..K..1..K..2..K..3..K..4..K..5..L..6.QL..7.pL..>..L..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].L...].L...].M...].M...].M...].M...].N...]!N...]SN...]`N...]?O...]VO...]]O...]eO...^vO...^.O...^.O...^.O...^-P...^ZP...^eP...^.P...^.P...^.P...^.P...^.P...^.P...^.P...^!Q...^;Q...^iQ...^.Q...^.Q...^.Q...^.Q..'^.Q..(^.Q..)^.Q..+^(R..,^MR..-^_R...^pR../^vR..0^.R..1^.R..2^(S..3^.S..4^.S..5^.S..6^'T..7^4T..:^XT..;^.T..<^.U..=^.U..>^.U..@^.U..A^ZV..B^.V..C^.V..D^.V..E^.V..F^.W..G^aX..H^.X..I^.Y..K^'Y..M^+Y..N^9Y..O^EY..P^RY..Q^sY..V^.Y..W^.Y..X^2Z..Y^DZ..Z^SZ..[^{Z..\^.Z..]^.[..^^X[..c^z[..e^.[..f^.[..g^.[..h^.[..i^.[..j^.[..k^.[..l^.[..m^.[..p^.[

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\fil.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):148094
                                                                                            Entropy (8bit):5.159512531813897
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:N4uI0cHX9ooz8MDwGgbKIAaCz66/4pSe5:QRyooMiACB5
                                                                                            MD5:CB9FB6BC0E1EC2CB3A0C1F9C2DFBC856
                                                                                            SHA1:C3B5900A38354EA00B63622BB9044FFB4788723B
                                                                                            SHA-256:945C0160938C3BCECDA6659A411B33CD55DFAC18814BED88575BFD100C53D42E
                                                                                            SHA-512:6ED77D0FBBB1186CCB7493708F55F8A2C3005A1F1DA759C16289713A853BCAD4A2CC4846874D67F722F461B1950A763508A91A7970BC0EB5DA686206AAA8489B
                                                                                            Malicious:false
                                                                                            Preview:........r...j..I..k.)I..l.4I..n.<I..o.AI..p.NI..r.TI..s.eI..t.nI..v..I..w..I..y..I..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.... J....-J....BJ....XJ....eJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K.....K.....K.....K....*K..../K....8K....IK....PK....XK.....K.....K..*..K..+..K..,..K../..L..0..L..1.=L..2.NL..3.VL..4.tL..5..L..6..L..7..L..>..M..?..M..N..M..g.&M..i.)M..j.-M..k.2M..l.@M...]EM...]yM...].M...].N...] N...]LN...]_N...]vN...].N...].N...].P...].P...] P...]&P...^7P...^BP...^^P...^.P...^.Q...^2Q...^;Q...^`Q...^kQ...^.Q...^.Q...^.Q...^.Q...^.Q...^.R...^(R...^SR...^|R...^.R...^.R...^.R..'^.R..(^.R..)^.R..+^#S..,^ES..-^US...^lS../^tS..0^.S..1^.S..2^.T..3^.T..4^.T..5^.U..6^DU..7^\U..:^zU..;^.V..<^.V..=^.V..>^.V..@^(W..A^.W..B^7X..C^CX..D^WX..E^uX..F^.Y..G^.Z..H^T[..I^.[..K^.[..M^.[..N^.[..O^.[..P^.[..Q^.\..V^a\..W^.\..X^.\..Y^.]..Z^']..[^W]..\^.]..]^.^..^^m^..c^.^..d^.^..e^.^..f^.^..g^.^..h^.^..i^.^..j^.^..k^.^..l^._..m^._

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\fr.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):153314
                                                                                            Entropy (8bit):5.373911049579379
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:l//px7k5+45t3JTI3LbEKdG2Hr+6VB8RNtrAXLYpSKnRHDEhMaIzKByroFDuFcVR:lzkp5VJTI3LgEG2Hr+6VB8RNtrGLYprI
                                                                                            MD5:BC286000070C9A918A8E674F19A74E12
                                                                                            SHA1:41221BB668E41C13FBF5F110E7F2C6D900CDFFD1
                                                                                            SHA-256:D641D9D73262CA65A613EE0395204435D6830316DD551F8992407AE77EAD4B64
                                                                                            SHA-512:553DC84FFD09DD969802FC339AB20F6AF3C36442C1EA23E4199519F2C5FB50BE79874AE455CE5FF44511A3ADCEDAE7F3030D13E0ECF2B456233D5F4FF186A5DD
                                                                                            Malicious:false
                                                                                            Preview:........U.4.j..H..k..H..l..H..n..I..o..I..p..I..r..I..s.+I..t.4I..v.II..w.VI..y.\I..z.kI..|.qI..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J.....J....+J....-J....1J....8J....EJ....SJ....jJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K....8K....YK..*.cK..+.fK..,..K../..K..0..K..1..K..2..K..3..L..4.!L..5.AL..6..L..7..L..>..L..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].L...]&M...]GM...].M...].M...].N...].N...]7N...].N...].N...].O...].O...].O...].O...^.O...^.O...^.P...^VP...^.P...^.Q...^.Q...^=Q...^NQ...^pQ...^yQ...^.Q...^.Q...^.Q...^.R...^/R...^yR...^.R...^.R...^.R...^.R..'^.R..(^.R..)^.S..+^`S..,^.S..-^.S../^.S..0^.S..1^.T..2^.T..3^.U..4^.U..5^.U..6^.U..7^.V..:^#V..;^.V..<^.W..=^.W..>^.W..@^.W..A^}X..B^,Y..C^?Y..D^\Y..E^.Y..F^@[..G^.\..H^.\..I^.]..M^B]..N^U]..O^_]..P^q]..Q^.]..V^.]..W^.^..X^.^..Y^.^..Z^.^..[^.^..\^{_..]^._..^^G`..c^r`..d^{`..e^.`..f^.`..g^.`..h^.`..i^.`..j^.`..k^.`..l^.`..m^.`..p^.a..q^6a

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\gu.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):289453
                                                                                            Entropy (8bit):4.382772751875843
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:6bnPhzx39v+O0lT1A626EPqP8M388CMrPCK35YdO3C36SoYimPVOyVWqTPgrmd/t:eHVOYFf
                                                                                            MD5:AF5CC703C77E1A4B27233DEB73C6ACE8
                                                                                            SHA1:EA92DCE379EC9405FD84274566D363CE302D7F1D
                                                                                            SHA-256:CD761009ECBD4736B24383F020DA05D2E6B9396C67A7EC1F4AC1966943CF9EAB
                                                                                            SHA-512:DD379CBAB7A6FDCE05B0FF34D339C2F3320F83F76D8E1FB7EBF20EDCFEBE541AE454490EEB83D8EDC069AAF3DB52D6B7DE6D701672A13E75DFE59840E8F2C5DF
                                                                                            Malicious:false
                                                                                            Preview:........@.I.j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..I..t..I..v..I..w.,I..y.2I..z.AI..|.GI..}.YI....aI....fI....nI....vI....~I.....I.....I.....I.....I.....I.....J....1J....VJ.....J.....J.....J.....J.....J.....K....(K....>K....`K.....K.....K.....K.....K.....K.....K.....K.....L....-L....@L....WL....xL.....L.....L.....M....8M..*.`M..+.cM..,..M../..M..0..M..1.>N..2.UN..3.xN..4..N..5..N..6.>O..7.yO..>..O..?..O..N..P..g.+P..i..P..j.2P..k.7P..l.EP...]JP...].P...].P...].R...]6R...]zR...].R...].S...].S...].S...].V...].V...].V...].V...^.W...^*W...^.W...^.W...^.Y...^NY...^jY...^.Y...^.Y...^.Z...^ Z...^FZ...^.Z...^.Z...^j[...^.[...^.\...^x\...^.\...^.\...^.\..'^.\..(^.]..)^<]..+^.]..,^/^..-^W^...^.^../^.^..0^.^..1^2_..2^.`..3^.a..4^!b..5^Ob..6^.b..7^.b..:^.c..;^\d..<^.f..=^7f..>^vf..@^.f..A^)h..B^Li..C^}i..D^.i..E^&j..F^.m..G^Co..H^ip..I^.p..K^Qq..M^aq..N^zq..O^.q..P^.q..Q^.r..V^.r..W^#s..X^*t..Y^Tt..Z^.t..[^.t..\^.u..]^.v..^^Qw..c^.w..d^.w..e^.w..f^.w..g^.w..h^Ax..i^.x..j^.x..k^.x..l^#y..m^&y

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\he.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):178549
                                                                                            Entropy (8bit):4.72143996697818
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:Yy/mfC+WxgbllqMyX95E1u3XTnw6ImgMxQZ:1/mfCwbllqMyX95E1mXTnw6ImgMxQZ
                                                                                            MD5:B2F893D17E118CD03055B55B0923206B
                                                                                            SHA1:99B6358438A3EAFFAE38DCF6A215D8C5F9BFDC26
                                                                                            SHA-256:F6D1E2A269783F27B85C2DB2CE9286F581EC2E16586ECAC476AB5735CD8AE12F
                                                                                            SHA-512:34FA1C4BCE2F9E2C5C7B494A829F5B492B40E8F4F0BC586F564755DE703B5765D81795C67E19A27D2F21D297CE3B7E5058A126118AFE6911CC429FC58D67F13E
                                                                                            Malicious:false
                                                                                            Preview:........9.P.j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..H..t..H..v..I..w..I..y.$I..z.3I..|.9I..}.KI....SI....XI....`I....hI....pI....wI....~I.....I.....I.....I.....I.....I.....J.... J....,J....IJ....KJ....OJ....fJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K....(K....3K....GK....OK....YK.....K.....K..*..K..+..K..,..K../..L..0..L..1.UL..2.jL..3.}L..4..L..5..L..6..M..7.-M..>.BM..?.SM..N.lM..g.yM..i.|M..j..M..k..M..l..M...].M...].M...].M...].N...].N...].O...]'O...]AO...].O...].O...]0R...]ER...]OR...]YR...^wR...^.R...^.R...^.R...^.S...^.S...^.T...^PT...^iT...^.T...^.T...^.T...^.T...^.T...^.U...^OU...^.U...^.U...^.U...^.U...^.U..'^.U..(^.V..)^#V..+^.V..,^.V..-^.V...^.V../^.V..0^.W..1^QW..2^.W..3^|X..4^.Y..5^/Y..6^aY..7^rY..:^.Y..;^HZ..<^7[..=^T[..>^t[..@^.[..A^`\..B^N]..C^`]..D^|]..E^.]..F^<`..G^fa..H^.b..I^.b..K^.c..M^'c..N^>c..O^Kc..P^`c..Q^.c..V^.c..W^)d..X^.d..Y^.d..Z^.d..[^Be..\^.e..]^.f..^^lf..c^.f..d^.f..e^.f..f^.f..g^.f..h^.f..i^.g..j^.g..k^.g..l^2g..m^5g

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\hi.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):299590
                                                                                            Entropy (8bit):4.360369510849167
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:HHD12s+/nqzwakcWfKSYh2s3cwEVhYWVLVogBO/S/Ffm9NLahPzRvTHIf+ovahgJ:h2s+bL7y3
                                                                                            MD5:C6CDD9F54AE4D9EDA4A2EC12BE1DD227
                                                                                            SHA1:04315C2652D7810EAC876714E2B52F11E089B322
                                                                                            SHA-256:702938B3450C83F10326FEAAD396A0B85EB93E50F5898837BF2653A4A456C3B1
                                                                                            SHA-512:FC0CE390A9BA9DC5301B79C284D643C6B7FA93A09AB6D7CD70F5C76E21BF2841AC152567F33F009599416F7C52A0A74A3EF1F830E7596BBC9C9A3BD368E7CFAD
                                                                                            Malicious:false
                                                                                            Preview:........5.T.j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..H..t..H..v..I..w..I..y..I..z.+I..|.1I..}.CI....KI....PI....XI....`I....hI....oI....vI....}I....~I.....I.....J....3J....XJ.....J.....J.....J.....J.....J.....J.....K....2K....TK....vK.....K.....K.....K.....K.....K.....K.....L....(L....>L....jL.....L.....L.....L....&M....NM..*.mM..+.pM..,..M../..M..0..M..1.aN..2..N..3..N..4..N..5..O..6.pO..7..O..>..P..?..P..N.RP..g.uP..i.xP..j.|P..k..P..l..P...].P...]`Q...].Q...].S...].T...]lT...].T...].T...].U...].U...].X...]5Y...]AY...]SY...^.Y...^.Y...^.Z...^.Z...^4\...^.\...^.\...^p]...^.]...^-^...^F^...^.^...^.^...^.^...^._...^.`...^.`...^)a...^Na...^ra...^.a..'^.a..(^.a..)^.a..+^.b..,^.b..-^&c...^[c../^kc..0^.c..1^/d..2^&e..3^.f..4^.g..5^3g..6^rg..7^.g..:^.g..;^.i..<^.j..=^.j..>^.k..@^.k..A^.l..B^.n..C^5n..D^fn..E^.n..F^.q..G^.s..H^Rt..I^.t..K^.u..M^-u..N^Lu..O^^u..P^}u..Q^.v..V^Pw..W^.w..X^.x..Y^.x..Z^.x..[^Cy..\^.z..]^.z..^^.{..c^U|..e^t|..f^}|..g^.|..h^.|..i^.}..j^u}..k^v}..l^.}..m^.}..p^.~

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\hr.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):140485
                                                                                            Entropy (8bit):5.488201715897777
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:Kx0LpBWR8sKsAGCm+VdljWNqcUlEdp94LnMUpEP1yMMoPa7ayvWlx9s:KAyC6qdl
                                                                                            MD5:209EFAA890532DDBB1673852E42DED7E
                                                                                            SHA1:8E9A3E643183D4CBDFAD9FD2A116E749B5313A95
                                                                                            SHA-256:3D01F9D2C51EFA0C0D8D720DD832493B1B87D2429970396C42CEE2199E7BEF40
                                                                                            SHA-512:5410B31AB46CCFD29B750F39D3796A533EC0C0A7B7B31B70977F59F348DD4190EDC00C86DB8D5B73DF2117F27FD283DE2057493C081CEF69D04AD9894EB5C05B
                                                                                            Malicious:false
                                                                                            Preview:........^.+.j..H..k..I..l..I..n..I..o..I..p.&I..r.,I..s.=I..t.FI..v.[I..w.hI..y.nI..z.}I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J.... J....4J....EJ....GJ....KJ....SJ...._J....mJ....~J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K....?K....aK..*.lK..+.oK..,..K../..K..0..K..1..K..2..K..3..L..4..L..5.<L..6.~L..7..L..>..L..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].L...].M...]4M...].M...].M...].M...].N...].N...]PN...]`N...].P...].P...].P...]"P...^7P...^?P...^hP...^.P...^$Q...^QQ...^YQ...^.Q...^.Q...^.Q...^.Q...^.Q...^.Q...^.R...^=R...^YR...^.R...^.R...^.R...^.R...^.S..'^.S..(^$S..)^5S..+^}S..,^.S..-^.S...^.S../^.S..0^.S..1^.T..2^.T..3^.T..4^PU..5^dU..6^.U..7^.U..:^.U..;^)V..<^.V..=^.V..>^.W..@^FW..A^.W..B^~X..C^.X..D^.X..E^.X..F^.Z..G^.[..H^}\..I^.\..K^.\..M^.\..N^.\..O^.]..P^.]..Q^5]..V^t]..W^.]..X^.^..Y^.^..Z^1^..[^Y^..\^.^..]^._..^^^_..c^._..e^._..f^._..g^._..h^._..i^._..j^._..k^._..l^._..m^._..p^.`

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\hu.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):152821
                                                                                            Entropy (8bit):5.620048725381683
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:eLqPnCMNxIRZk/3gIHmnRjiGhoDotUGnCdAtRdpEsLY5M3ICm:+6NWRQ3QZiGLUGnjRdpER63ICm
                                                                                            MD5:7317ADFCBA87621963E9CB2F44600E2F
                                                                                            SHA1:0398D795F9A3CDE03AE85E8CD2C4723E7EF5F7E4
                                                                                            SHA-256:6EDCDAF17483C4B7B74D9C728C3F38D9E4704BFBDB618B578C7CCB6BBE6E824F
                                                                                            SHA-512:E8EC0DF2DDF67799194E8D3F722B5643553FB05026BD5F8D933D1CC18DF6A641EB1B810E22114B44513B57A005D326B91A1FCF1C470A636CD42C5BC5FA0F254F
                                                                                            Malicious:false
                                                                                            Preview:........X.1.j..H..k..H..l..I..n..I..o..I..p..I..r. I..s.1I..t.:I..v.OI..w.\I..y.bI..z.qI..|.wI..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....*J....?J....FJ....ZJ....\J....`J....lJ....sJ.....J.....J.....J.....J.....J.....K.....K.....K.....K.....K.....K....7K....AK....XK....^K....dK.....K.....K..*..K..+..K..,..K../..K..0..L..1.9L..2.EL..3.RL..4.oL..5..L..6..L..7..L..>..M..?..M..N.%M..g.3M..i.6M..j.:M..k.?M..l.FM...]KM...]|M...].M...]^N...]lN...].N...].N...].N...].O...]4O...]BP...]RP...]YP...]cP...^uP...^.P...^.P...^.P...^bQ...^.Q...^.Q...^.Q...^.Q...^.Q...^.Q...^.R...^.R...^2R...^sR...^.R...^.R...^.S...^.S...^(S...^:S..'^AS..(^SS..)^cS..+^.S..,^.S..-^.S...^.S../^.S..0^.T..1^/T..2^.T..3^.U..4^.U..5^.U..6^.U..7^.U..:^.V..;^.V..<^bW..=^uW..>^.W..@^.W..A^SX..B^.X..C^.X..D^.X..E^.X..F^.Z..G^.Z..H^.Z..I^G[..K^t[..M^z[..N^.[..O^.[..P^.[..Q^.[..V^2\..W^[\..X^.\..Y^.\..Z^.]..[^D]..\^.]..]^.^..^^}^..c^.^..d^.^..e^.^..f^.^..g^.^..h^.^..i^.^..j^._..k^._..l^%_..m^(_

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\id.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):127592
                                                                                            Entropy (8bit):5.337449892048412
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:7uYgZU9ZZpzS95KW68e0sSx8WsAzaZts3cCXw:7uYWUxpuvtwSlsEaP
                                                                                            MD5:E2265E49D69D75B1DD967A05208DC896
                                                                                            SHA1:FBEE6EFFF6ECDE688C37DA898F8480173F4186F9
                                                                                            SHA-256:45018EC216D0F59DC4FEF155C6123C697124CA28AA51ADF19C2CCEC421DFF3A5
                                                                                            SHA-512:78B1B478F82FC8089A890728D2A886B961607F67A0D06F91FD5FCEA68ECE5B03CF58A0BB7AD5ED622602A4911E9019F222673A767B39707D383618A6C4B719AE
                                                                                            Malicious:false
                                                                                            Preview:........X.1.j..H..k..H..l..I..n..I..o..I..p..I..r. I..s.1I..t.:I..v.OI..w.\I..y.bI..z.qI..|.wI..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J.....J..../J....1J....5J....=J....EJ....ZJ....kJ....zJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K....2K..*.=K..+.@K..,.^K../.nK..0.rK..1..K..2..K..3..K..4..K..5..K..6.)L..7.<L..>.PL..?.XL..N.iL..g.rL..i.uL..j.yL..k.~L..l..L...].L...].L...].L...]^M...]eM...].M...].M...].M...].M...].N...].N...].N...].N...^.N...^.O...^.O...^IO...^.O...^.O...^.O...^.P...^#P...^LP...^UP...^hP...^zP...^.P...^.P...^.P...^.Q...^HQ...^UQ...^^Q...^nQ..'^tQ..(^.Q..)^.Q..+^.Q..,^.Q..-^.Q...^.Q../^.R..0^ R..1^RR..2^.R..3^'S..4^.S..5^.S..6^.S..7^.S..:^.S..;^.T..<^?U..=^NU..>^`U..@^.U..A^.U..B^]V..C^mV..D^{V..E^.V..F^wW..G^.W..H^gX..I^.X..K^.X..M^.X..N^.X..O^.X..P^.X..Q^.Y..V^JY..W^uY..X^.Y..Y^.Y..Z^.Y..[^.Z..\^qZ..]^.Z..^^.Z..c^)[..d^3[..e^=[..f^B[..g^G[..h^][..i^u[..j^.[..k^.[..l^.[..m^.[..p^.[

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\it.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):141689
                                                                                            Entropy (8bit):5.2487922257035375
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:hzB8XN5Sv35T3gUYTEKDoLxt1yN4tA7kxAjidOp7kPMHe80Ru8:7MYv35T3gUYTBcLxDyN4tA7kxAji1E+f
                                                                                            MD5:2CF96A1E0B554FAF0794206BF140E140
                                                                                            SHA1:A612D9FC6B006514D52B73911BA4707E4C0A695F
                                                                                            SHA-256:6FDBD3EC9730D4C101635D9601C5F7902AC76F8804D544E4B07F8DFC2743F292
                                                                                            SHA-512:213AAB25659985830C5D12CD8319CDD9F441E84292F3E85A6545C6A3F069C602440AC292D4285CBF434B12A6CF66747251197B978774068758BE9E53D636C2B7
                                                                                            Malicious:false
                                                                                            Preview:........[...j..H..k..H..l..I..n..I..o..I..p. I..r.&I..s.7I..t.@I..v.UI..w.bI..y.hI..z.wI..|.}I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....1J....9J....JJ....LJ....PJ....WJ....cJ....yJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K....!K....'K....XK....vK..*..K..+..K..,..K../..K..0..K..1..L..2..L..3..L..4.>L..5.\L..6..L..7..L..>..L..?..L..N..L..g..L..i..L..j..L..k..M..l..M...].M...]:M...]WM...].N...].N...]*N...]GN...]XN...].N...].N...].O...].O...].O...].O...^.O...^.O...^.P...^TP...^.P...^.Q...^ Q...^=Q...^KQ...^hQ...^pQ...^.Q...^.Q...^.Q...^.Q...^.Q...^KR...^xR...^.R...^.R...^.R..'^.R..(^.R..)^.R..+^.S..,^<S..-^IS...^ZS../^^S..0^zS..1^.S..2^.T..3^sT..4^.T..5^.U..6^7U..7^IU..:^cU..;^.U..<^.V..=^.V..>^.V..@^+W..A^.W..B^.X..C^.X..D^*X..E^[X..F^{Y..G^.Z..H^.Z..I^.Z..M^.Z..N^.[..O^.[..P^"[..Q^G[..V^.[..W^.[..X^)\..Y^O\..Z^`\..[^.\..\^.]..]^Y]..^^.]..c^.]..d^.]..e^.]..f^.]..g^.]..h^.^..i^1^..j^D^..k^E^..l^S^..m^V^..p^x^

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\ja.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):168609
                                                                                            Entropy (8bit):5.757161601136051
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:Hu9OLUlhagNjy/d4thSbFsSM8IpB46XeyOsg+Ft+nFUNjyNLAVK:qcUlMItthSbFFM8C+ZiFt+FijyNLAVK
                                                                                            MD5:781FEC59B38A21DC663F3A482732196B
                                                                                            SHA1:1B660BA0BD9AAF67C5FE49A372687FACD6D264EA
                                                                                            SHA-256:3849F8B48B034FE6319112EFF77B7C9F6A8D7B20CF7BC8400528A0A8458677DA
                                                                                            SHA-512:F2C3A6D8C23F72DB8E70EC8CD87793EB103B58BDD3976E99F42867C33A6688A41C79EADCDF25C6AE01FD20920AFFD43F228A5134AF28F83EE50FE02819665E95
                                                                                            Malicious:false
                                                                                            Preview:..........~.j.LH..k.]H..l.fH..m.nH..o..H..p..H..v..H..w..H..y..H..z..H..|..H..}..H.....H.....H.....H.....H.....H.....I.....I.....I.....I...."I....)I....+I....gI.....I.....I.....I.....I.....I.....I.....I.....J.....J.....J....4J....IJ....uJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J....MK....mK..*.sK..+.vK..,..K../..K..0..K..1..L..2..L..3.(L..4.IL..5.pL..6..L..7..L..>..L..?..M..N..M..g.'M..i.*M..j..M..k.3M..l.;M...]@M...].M...].M...].N...].N...].N...].N...],O...]>O...].P...].P...].P...].P...^.P...^.P...^.Q...^CQ...^.R...^=R...^.R...^.R...^.R...^.R...^.R...^.R...^.S...^iS...^.S...^.S...^.T...^5T...^>T...^MT..'^ST..(^tT..)^.T..+^.T..,^.U..-^8U...^JU../^PU..0^qU..1^.U..2^/V..3^.V..4^/W..5^AW..6^{W..7^.W..:^.W..;^1X..<^.Y..=^.Y..>^7Y..@^.Y..A^.Z..B^.Z..C^.Z..D^.Z..E^.[..F^.[..G^.\..H^.]..I^q]..K^.]..M^.]..N^.]..O^.]..P^.]..Q^.^..V^c^..W^.^..X^._..Y^+_..Z^=_..[^`_..\^._..]^.`..^^|`..c^.`..e^.`..f^.`..g^.`..h^.`..i^.a..j^.a..k^/a..l^Aa..m^Da..p^za..q^.a..r^.a..s^:b..t^Qb

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\kn.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):327618
                                                                                            Entropy (8bit):4.292167615217582
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:cSs3wIBtgRlqEgknaw6T+PDu6m1TSX4zzEr7JQO6eJ2:cS8IRldQ+8/Ho2
                                                                                            MD5:66867A2133EF0C73F385AF7D5D2EED91
                                                                                            SHA1:8CA6E7E6D679255C2C151D38CF70A5F25CCE059F
                                                                                            SHA-256:407599A388BC151CCD2561181EA90FF620F4CB5C767317AF8CA4748927BA7F35
                                                                                            SHA-512:482C0B75C921470866B7C6CCF09CDDD59CE81507E8DF7A2158D3ABF08C7201EBEED67C1ECD36F5CB015A8833AE9F1917AB6118F9F0A959364DE958729295F37C
                                                                                            Malicious:false
                                                                                            Preview:........G.B.j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..I..t..I..v.-I..w.:I..y.@I..z.OI..|.UI..}.gI....oI....tI....|I.....I.....I.....I.....I.....I.....I.....I....5J....lJ.....J.....J.....J....AK....CK....OK....jK.....K.....K.....K...."L...._L.....L.....L.....L.....L.....L.....L.....L.....M....*M....TM....cM....~M.....M....4N..*.XN..+.[N..,.yN../..N..0..N..1.[O..2.uO..3..O..4..O..5./P..6..P..7..P..>..Q..?.AQ..N..Q..g..Q..i..Q..j..Q..k..Q..l..Q...].Q...]4R...].R...]1T...]IT...].T...].T...]/U...]~U...].U...].X...].X...].X...].Y...^DY...^kY...^.Y...^=Z...^.[...^.[...^.\...^.\...^.\...^.\...^.\...^-]...^j]...^.]...^z^...^.^...^._...^._...^'`...^P`...^{`..'^.`..(^.`..)^.`..+^.a..,^.a..-^.b...^^b../^vb..0^.b..1^Ec..2^.d..3^.e..4^.f..5^.f..6^&g..7^Zg..:^.g..;^Ii..<^Zk..=^qk..>^.k..@^Yl..A^.m..B^.n..C^]o..D^.o..E^.o..F^.s..G^qu..H^.v..I^.w..M^.w..N^4x..O^Fx..P^wx..Q^.x..V^.y..W^Gz..X^l{..Y^.{..Z^.{..[^h|..\^e}..]^E~..^^)...c^....d^....e^....f^....g^....h^....i^....j^...k^...l^....m^....p^w.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\ko.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):141682
                                                                                            Entropy (8bit):6.102101768419481
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:O7nJcQ4G+othXoAgWCYeHw0pFSCukpHTegNMq7Hh1I/4KiWgx7D7/xRAmxJT6rJk:O7JQGbtkSq7Hh1qydSwx5
                                                                                            MD5:27705557EB4977C33BC69F27C2EE9F96
                                                                                            SHA1:B0297538C4E68515B8F65D44371CB8F4CDBC489F
                                                                                            SHA-256:DE71F906636D2A8F5833A22E92B61161182C53E233B75B302DBE061ED57E9BDC
                                                                                            SHA-512:53C8917049D72A9739BF7F2ABDBDE3120ED3124967CD9B1B71B172B7B36ED41A1FF970D3841C0F5EB5B53616DD9F8E03F65A79E6A6964B83DA2C84174C1DD56F
                                                                                            Malicious:false
                                                                                            Preview:............j.BH..k.OH..l.WH..m._H..o.eH..p.lH..r.rH..s..H..t..H..y..H..z..H..|..H..}..H.....H.....H.....H.....H.....H.....H.....I.....I.....I.....I....PI....\I....lI.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J.....J....%J.....J....4J....:J....DJ....UJ....[J....dJ.....J.....J..*..J..+..J..,..J../..K..0..K..1._K..2.pK..3.|K..4..K..5..K..6..K..7..L..>.&L..?.7L..N.KL..g.UL..i.XL..j.\L..k.aL..l.oL...]tL...].L...].L...]dM...]jM...].M...].M...].M...].M...].N...].N...].O...].O...^$O...^*O...^EO...^UO...^.O...^"P...^(P...^XP...^eP...^|P...^.P...^.P...^.P...^.P...^.Q...^.Q...^kQ...^.Q...^.Q...^.Q...^.Q..'^.Q..(^.Q..)^.Q..+^ER..,^yR..-^.R...^.R../^.R..0^.R..1^.R..2^kS..3^.S..4^cT..5^zT..6^.T..7^.T..:^.T..;^pU..<^kV..=^|V..>^.V..@^.V..A^GW..B^.W..C^.W..D^.W..E^.W..F^.Y..G^.Y..H^.Z..I^XZ..M^.Z..N^.Z..O^.Z..P^.Z..Q^.Z..V^3[..W^f[..X^.[..Y^.[..Z^.\..[^,\..\^.\..]^.\..^^*]..e^O]..f^R]..g^X]..h^l]..i^.]..j^.]..k^.]..l^.]..m^.]..p^.]..q^.^..r^+^..s^z^..t^.^..u^.^..w^.^

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\lt.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):155112
                                                                                            Entropy (8bit):5.597757057369356
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:DTkdJNFJ1BDyyUa73L6fbX9A8Z2I76S1a5nJ:nkTJ10Pa73efbX9Aw2I76S6
                                                                                            MD5:A3E29F4A3CA6F2058A6F464E49F914B6
                                                                                            SHA1:3FC632EACCF91E86B365D444E7ACBA6F9302AA5C
                                                                                            SHA-256:EC70EDCA70373390F028AA751A74057FB1C2C583C310492723A228C863007C47
                                                                                            SHA-512:EEC22E3347AFFC0EB0F9452F3B9B239E8B714148A39BE83EBE7979BAC706A942DA3A17DE01E9A1B89DFEC9E970692C3E9FE566750092FC139325AE25ED1C3E04
                                                                                            Malicious:false
                                                                                            Preview:........_.*.j..H..k..I..l..I..n..I..o..I..p.(I..r..I..s.?I..t.HI..v.]I..w.jI..y.pI..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J.....J....0J....EJ....VJ....XJ....\J....eJ....uJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K....(K....-K....7K....kK.....K..*..K..+..K..,..K../..K..0..K..1..L..2.(L..3.9L..4.YL..5..L..6..L..7..L..>..M..?..M..N./M..g.=M..i.@M..j.DM..k.QM..l.\M...]sM...].M...].M...]SN...]YN...].N...].N...].N...].N...].N...]rQ...].Q...].Q...].Q...^.Q...^.Q...^.Q...^.R...^.R...^.R...^.R...^.R...^.S...^.S...^6S...^KS...^bS...^wS...^.S...^.S...^.S...^2T...^FT...^PT...^dT..'^nT..(^.T..)^.T..+^.T..,^.U..-^$U...^5U../^<U..0^YU..1^.U..2^.V..3^.V..4^.W..5^4W..6^dW..7^|W..:^.W..;^'X..<^.X..=^.X..>^.Y..@^>Y..A^.Y..B^.Z..C^.Z..D^.Z..E^.[..F^:]..G^.^..H^._..I^._..K^.`..M^.`..N^)`..O^2`..P^E`..Q^.`..V^.`..W^.a..X^ea..Y^.a..Z^.a..[^.a..\^gb..]^.b..^^.c..c^Xc..e^cc..f^ic..g^nc..h^.c..i^.c..j^.c..k^.c..l^.c..m^.c..p^.c

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\lv.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):153465
                                                                                            Entropy (8bit):5.609936843204624
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:pvij24mCJrjE7+Gv9A9kz7dyIs8i5ijAoDfZ18:pvij24mCJ07V9AS7dyIBkijAobZ18
                                                                                            MD5:28EEEE40B2722E1CC42905C70367FBDB
                                                                                            SHA1:FD82465B1522D314B295207934A7641B3D257D66
                                                                                            SHA-256:026E6A4EA0FD11C07375F0532A0756BFFEF585889A71F33243A116C462B0C684
                                                                                            SHA-512:A99D203CE67A3E5D4F831064F83C730B045FB1EBA47CA804CE6C407E04240F4C51B4114446C3494E2985A1109695533D1B1C5C7594A5555276BE366C07D0B855
                                                                                            Malicious:false
                                                                                            Preview:........j...j..I..k..I..l.$I..n.,I..o.1I..p.>I..r.DI..s.UI..t.^I..v.sI..w..I..y..I..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J....!J....4J....JJ....RJ....nJ....pJ....tJ....{J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K.....K....#K....5K....=K....HK....yK.....K..*..K..+..K..,..K../..K..0..K..1.4L..2.EL..3.PL..4.fL..5..L..6..L..7..L..>..L..?..M..N..M..g..M..i..M..j.#M..k.(M..l.0M...]5M...]^M...]zM...]&N...]-N...]MN...]jN...].N...].N...].N...].P...].P...].P...].P...^.P...^.P...^$Q...^TQ...^.Q...^.R...^.R...^>R...^MR...^qR...^zR...^.R...^.R...^.R...^.S...^.S...^fS...^.S...^.S...^.S...^.S..'^.S..(^.S..)^.T..+^QT..,^{T..-^.T...^.T../^.T..0^.T..1^.T..2^jU..3^.U..4^NV..5^nV..6^.V..7^.V..:^.V..;^TW..<^.X..=^2X..>^UX..@^.X..A^.X..B^.Y..C^.Y..D^.Y..E^.Z..F^.\..G^.]..H^.]..I^.^..K^3^..M^9^..N^G^..O^R^..P^_^..Q^.^..V^.^..W^.^..X^X_..Y^u_..Z^._..[^._..\^.`..]^c`..^^.`..c^.`..d^.`..e^.`..f^.`..g^.`..h^.a..i^2a..j^Ya..k^Za..l^pa..m^sa

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\ml.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):345375
                                                                                            Entropy (8bit):4.318830515196368
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ukvjrC/9IJFlYBkPQ4z6NWdWMQTW1fp3ut:uk7W/ybPQE6NWdWZTaB3ut
                                                                                            MD5:A7F6CDC17EDDC1550260489D478EC093
                                                                                            SHA1:3308EB8F7D1958FE6B9F94602599CDC56460AA89
                                                                                            SHA-256:01A0E2F809FED45B9B67831202D297C3221077FA2DD84F3B635AB33016A07577
                                                                                            SHA-512:42132CA4A62BD5DE5928F8C313C930C1FAB0AD918FE08612CCD118E421ECA768956AD42F7551D6CE58D10BE6C34CAE7A2FEF518BDE9F0641C339F7AF70F42688
                                                                                            Malicious:false
                                                                                            Preview:........H.A.j..H..k..H..l..H..n..H..o..H..p..H..r..I..s..I..t..I..v./I..w.<I..y.BI..z.QI..|.WI..}.iI....qI....vI....~I.....I.....I.....I.....I.....I.....I.....I.....J....JJ.....J.....J.....K....SK....UK....YK.....K.....K.....K.....L....@L....sL.....L.....L.....L.....L.....L.....L.....M....9M....UM.....M.....M.....M.....N.....N..*..O..+..O..,.3O../.gO..0.wO..1..P..2.6P..3.nP..4..P..5..Q..6..Q..7..Q..>.iR..?..R..N..R..g..R..i..R..j..R..k..R..l..R...].R...]~S...].S...].U...].U...],V...]cV...].V...]=W...]kW...]eY...].Y...].Y...].Y...^.Z...^0Z...^{Z...^.Z...^.\...^.\...^.]...^.]...^.]...^.]...^.^...^I^...^.^...^.^...^r_...^._...^W`...^.a...^Ta...^sa...^.a..'^.a..(^.a..)^.b..+^.b..,^3c..-^dc...^.c../^.c..0^.d..1^.d..2^.e..3^.f..4^+h..5^ih..6^.h..7^.i..:^gi..;^.j..<^(m..=^?m..>^.m..@^-n..A^to..B^.p..C^.p..D^.q..E^lq..F^8t..G^Ku..H^*v..I^.v..K^Qw..M^lw..N^.w..O^.w..P^.w..Q^Zx..V^ly..W^.y..X^.{..Y^,{..Z^.{..[^.|..\^.|..]^.}..^^.~..c^....e^X...f^d...g^v...h^....i^....j^I...k^J...l^....m^....p^..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\mr.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):284611
                                                                                            Entropy (8bit):4.36914070069881
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:0j57j1LKAbBeM49D/Wcq02RCuXaIuc7nNSZhZ9K3MxeFlWSLQMDdjB3rhPXyYH6z:0j91L1Cujy
                                                                                            MD5:BE22080B1E45301C313D92D825A7A9ED
                                                                                            SHA1:84C9370A4845DDFA1EAB8AE334C1F4CC02FFABA6
                                                                                            SHA-256:C09D274406A36F90C75A1DAF018C5373D697C42BBC20771A827F62EBE08DAB57
                                                                                            SHA-512:9558690AE7AC41984553AEA1E0133778301EE12E0DD6E16F5DC0380619B82A7A8D37CBE0EF59EFCD53C05987ED6FDEB869DEE8FE2224FDA8880D473E932C2F87
                                                                                            Malicious:false
                                                                                            Preview:........0.Y.j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..H..t..H..v..H..w..I..y..I..z.!I..|.'I..}.9I....AI....FI....NI....VI....^I....eI....lI....sI....tI....uI.....I.....J....6J....UJ....gJ.....J.....J.....J.....J.....J....'K....CK....bK.....K.....K.....K.....K.....K.....K.....K.....L.....L....*L....GL....VL....eL.....L.....L..*..M..+.!M..,.?M../..M..0..M..1..N..2..N..3.2N..4.oN..5..N..6..O..7.BO..>..O..?..O..N..O..g..O..i..O..j..O..k..O..l..P...].P...]kP...].P...].R...]:R...].R...].R...]"S...]HS...].U...]IU...]RU...]dU...^.U...^.U...^.U...^QV...^NW...^.W...^.W...^.X...^*X...^YX...^rX...^.X...^.X...^.X...^.Y...^.Y...^.Z...^.Z...^.[...^.[...^9[..'^R[..(^.[..)^.[..+^.\..,^.\..-^.\...^;]../^W]..0^.]..1^.^..2^._..3^.`..4^.`..5^(a..6^~a..7^.a..:^.a..;^Nc..<^&e..=^=e..>^ve..@^.e..A^Kg..B^=h..C^.h..D^.h..E^.i..F^Rk..G^Zl..H^Jm..I^.m..K^4n..M^Jn..N^fn..O^xn..P^.n..Q^.o..V^.o..W^ p..X^.q..Y^Oq..Z^.q..[^.r..\^.r..]^.s..^^.t..c^.t..d^.u..e^6u..f^Eu..g^Qu..h^.u..i^.u..j^.v..k^.v..l^Gv..m^Jv..p^.v

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\ms.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):131776
                                                                                            Entropy (8bit):5.23641513662631
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:kvCULU6TUyT4CEiix3xDEr+9eX2jBS9ssQQPYOY9vSi3765/3+8u8Jyu:gTTp4CEiO3xDE3X2jBSaj36o8u8Jyu
                                                                                            MD5:BFF5EA1DBEDFAB0DA766909C2B0BEED3
                                                                                            SHA1:9AB6989C47AB4CEA0D620FE70BBA5C1E15A58A51
                                                                                            SHA-256:6240E885116732AE850542CAB40C80950BF83171C17A84BF02D7DF9B1A2A98A4
                                                                                            SHA-512:8BC32F7BADE04932B51A2BC4E8D5D609D379A157ACCCA63E43977A19F2604E87BA754BF545651A1237C74E05577F36D85E53D20FA1DA41E7967E8EF8A657464D
                                                                                            Malicious:false
                                                                                            Preview:........\.-.j..H..k..H..l..I..n..I..o..I..p."I..r.(I..s.9I..t.BI..v.WI..w.dI..y.jI..z.yI..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....8J....FJ....]J...._J....cJ....lJ....vJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K.....K.....K....&K....-K....[K....pK..*.~K..+..K..,..K../..K..0..K..1..K..2..K..3..L..4.%L..5.8L..6.tL..7..L..>..L..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].L...].M...] M...].M...].M...].M...].M...](N...]7N...].O...]%O...],O...]2O...^CO...^JO...^^O...^.O...^.P...^,P...^1P...^RP...^ZP...^vP...^~P...^.P...^.P...^.P...^.P...^.Q...^:Q...^`Q...^sQ...^.Q...^.Q..'^.Q..(^.Q..)^.Q..+^.R..,^$R..-^0R...^8R../^?R..0^XR..1^~R..2^.R..3^JS..4^.S..5^.S..6^.S..7^.S..:^.T..;^.T..<^AU..=^PU..>^`U..@^.U..A^.U..B^RV..C^fV..D^tV..E^.V..F^.W..G^.X..H^sX..I^.X..K^.X..M^.X..N^.X..O^.X..P^.X..Q^.Y..V^`Y..W^.Y..X^.Y..Y^.Y..Z^.Y..[^)Z..\^.Z..]^.Z..^^"[..c^D[..e^J[..f^O[..g^T[..h^f[..i^}[..j^.[..k^.[..l^.[..m^.[..p^.[..q^.[

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\nb.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):129811
                                                                                            Entropy (8bit):5.41466631045413
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:KGw/e+4IRu0YenTKG4I8liXbuzqF6I9Im8VUvCAepd9nNMR0b:1jZenGxI8SuzqF6I9IwCnp/nNsW
                                                                                            MD5:2F31DBF3F36906C58B68F7F88C433257
                                                                                            SHA1:55552671F81A9B24EF05D16249BCF5135D5A98C9
                                                                                            SHA-256:CA435B5CA91A253129BDE2155592D9C3876005C4CA4389E4ECF97ADAB9A6DE4A
                                                                                            SHA-512:079EA4F01582E9AB05E2C63850B654AB84CE3B8BB72390899DFE662E2C4138B82F869829FAD3EE645546DD8E27C749D2EF20A0D5BC94DB174A59C6E0D43EA27C
                                                                                            Malicious:false
                                                                                            Preview:........V.3.j..H..k..H..l..H..n..I..o..I..p..I..r..I..s.-I..t.6I..v.KI..w.XI..y.^I..z.mI..|.sI..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J.....J....5J....7J....;J....@J....GJ....RJ...._J....jJ....|J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K..*..K..+.!K..,.?K../.PK..0.UK..1..K..2..K..3..K..4..K..5..K..6..L..7..L..>.:L..?.?L..N.KL..g.WL..i.ZL..j.^L..k.eL..l.jL...]oL...].L...].L...]eM...]kM...].M...].M...].M...].M...].M...].N...].N...].N...].N...^.N...^.N...^.O...^'O...^.O...^.O...^.O...^.P...^.P...^3P...^;P...^NP...^fP...^sP...^.P...^.P...^.Q...^.Q...^AQ...^IQ...^\Q..'^aQ..(^uQ..)^.Q..+^.Q..,^.Q..-^.Q...^.R../^.R..0^%R..1^KR..2^.R..3^/S..4^.S..5^.S..6^.S..7^.S..:^.S..;^PT..<^.T..=^.T..>^.U..@^6U..A^.U..B^.V..C^.V..D^.V..E^9V..F^'W..G^.W..H^.X..I^PX..K^nX..M^tX..N^|X..O^.X..P^.X..Q^.X..V^.X..W^&Y..X^.Y..Y^.Y..Z^.Y..[^.Z..\^iZ..]^.Z..^^.Z..c^'[..e^.[..f^4[..g^7[..h^K[..i^c[..j^t[..k^u[..l^.[..m^.[..p^.[

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\nl.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):134663
                                                                                            Entropy (8bit):5.3406894485410845
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:wYSSmVmPYN5L3OUDjhJkkmP0l/gHkIINejANTie85XoknV:tSSa1OimmbjOnV
                                                                                            MD5:1E5B9D923D5F8CEF49C913BADD2784BA
                                                                                            SHA1:6E42A558A7207B2CEE2452263EB661843FE74D0D
                                                                                            SHA-256:7A7BE29044BF2FA9459A90DCCE12ED531931660BA680DEC8F32AD8A3364D973E
                                                                                            SHA-512:E4392F91392B79FA14C3545C9733DEB128F399163DCBEE698BF51B2218B1ABAB6AEF45C35130545DDC86626012599E4A8BD77205BAA735C957258539C9B6D484
                                                                                            Malicious:false
                                                                                            Preview:........].,.j..H..k..H..l..I..n..I..o..I..p.$I..r.*I..s.;I..t.DI..v.YI..w.fI..y.lI..z.{I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....*J....3J....EJ....GJ....KJ....YJ....fJ....uJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K....!K....(K....UK....gK..*.oK..+.rK..,..K../..K..0..K..1..K..2..K..3..K..4..L..5.1L..6.kL..7..L..>..L..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].L...].M...]%M...].M...].M...].M...].M...].N...]8N...]HN...](O...]4O...]<O...]BO...^TO...^`O...^.O...^.O...^;P...^nP...^vP...^.P...^.P...^.P...^.P...^.P...^.P...^.Q...^0Q...^CQ...^.Q...^.Q...^.Q...^.Q...^.Q..'^.Q..(^.Q..)^.Q..+^1R..,^OR..-^]R...^kR../^pR..0^.R..1^.R..2^.S..3^.S..4^.S..5^.S..6^&T..7^5T..:^IT..;^.T..<^zU..=^.U..>^.U..@^.U..A^7V..B^.V..C^.V..D^.V..E^.V..F^.W..G^lX..H^.X..I^"Y..K^EY..M^NY..N^]Y..O^eY..P^tY..Q^.Y..V^.Y..W^.Z..X^.Z..Y^.Z..Z^.Z..[^.Z..\^C[..]^.[..^^.[..c^.[..d^.\..e^.\..f^.\..g^.\..h^5\..i^O\..j^a\..k^b\..l^m\..m^p\

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\pl.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):147502
                                                                                            Entropy (8bit):5.735460180369809
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:3rlLYT1kOURMa8or/1QatCkBjzAzN3OOAYd4KNsNYiiUHYAUfpnyLA:bSkOw1Qa+N3z4NYiiUHYAUfBt
                                                                                            MD5:BC72C8E2426765839539A3B8340FE19E
                                                                                            SHA1:630BD0E844E673454477B819C808B7E18BEBE0DB
                                                                                            SHA-256:6A97C2CE05545607A59DF2F0DAEF5DA71058DC1E1685F26263B7110EDC431755
                                                                                            SHA-512:A0F2C68EBB8E5E2AB5AD682B5CE0B1DC955ACED7DE32001A0DECFAFB924CA94EF322605DDF69BA74BAF18871CFDDBAD97FC326C43E5B3168019E21912F7DA421
                                                                                            Malicious:false
                                                                                            Preview:........b.'.j..H..k..I..l..I..n..I..o.!I..p..I..r.4I..s.EI..t.NI..v.cI..w.pI..y.vI..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....&J....;J....CJ....XJ....ZJ....^J....dJ....nJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K...."K....\K....vK..*..K..+..K..,..K../..K..0..K..1..L..2..L..3..L..4.=L..5.[L..6..L..7..L..>..L..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].M...],M...]JM...].M...].M...].N...],N...]?N...]}N...].N...].P...]0P...]7P...]=P...^YP...^cP...^.P...^.P...^:Q...^eQ...^mQ...^.Q...^.Q...^.Q...^.Q...^.Q...^.Q...^3R...^XR...^.R...^.R...^.R...^.R...^.R..'^.S..(^.S..)^#S..+^oS..,^.S..-^.S...^.S../^.S..0^.S..1^.S..2^yT..3^.T..4^XU..5^yU..6^.U..7^.U..:^.U..;^LV..<^.V..=^.W..>^.W..@^VW..A^.W..B^vX..C^.X..D^.X..E^.X..F^.Z..G^.[..H^5\..I^n\..K^.\..M^.\..N^.\..O^.\..P^.\..Q^.\..V^)]..W^M]..X^.]..Y^.]..Z^.]..[^.^..\^[^..]^.^..^^.^..c^._..d^"_..e^,_..f^4_..g^7_..h^J_..i^e_..j^._..k^._..l^._..m^._..p^._

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\pt-BR.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):140711
                                                                                            Entropy (8bit):5.399539343244414
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:560p+ZnA6WbY3jwD6XDcc4LHwWXCqv5cy0Y0q47c6x0xGU5cQ5iMe7R:gZLzMwDccsdXCOUEOMe9
                                                                                            MD5:54EFB4172A7110A567AD87F67CFCD551
                                                                                            SHA1:EA8EAC6F2328B8A1B27249FCED7C16154060DCF3
                                                                                            SHA-256:C17ED07165EC47DE5ACDFA7E4783AF4B417843E5F232E9F38CE02138C8BD1742
                                                                                            SHA-512:AE8AA02E9BCB3BFD8B39329A2C37F789484661E283DC63297E1EC2DD5D14558B349C312990048DC6A03CC7040A1C6FEA2571C6102B1A61A638F9AB615F5FC938
                                                                                            Malicious:false
                                                                                            Preview:........^.+.j..H..k..I..l..I..n..I..o..I..p.&I..r.,I..s.=I..t.FI..v.[I..w.hI..y.nI..z.}I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....=J....EJ....ZJ....\J....`J....hJ....qJ....{J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K....NK....iK..*.tK..+.wK..,..K../..K..0..K..1..K..2..K..3..K..4..L..5.7L..6.oL..7..L..>..L..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].L...].M...]&M...].M...].M...].M...].M...].N...]9N...]HN...].O...].O...].O...].O...^.O...^.O...^.O...^*P...^.P...^.P...^.P...^.P...^.P...^.Q...^.Q...^5Q...^EQ...^RQ...^.Q...^.Q...^.Q...^.R...^.R...^.R...^4R..'^:R..(^IR..)^WR..+^.R..,^.R..-^.R...^.R../^.R..0^.S..1^7S..2^.S..3^.T..4^.T..5^.T..6^.T..7^.T..:^.T..;^.U..<^kV..=^.V..>^.V..@^.V..A^4W..B^.W..C^.W..D^.W..E^.W..F^.Y..G^>Z..H^.Z..I^;[..K^a[..M^i[..N^u[..O^.[..P^.[..Q^.[..V^.[..W^$\..X^.\..Y^.\..Z^.\..[^.\..\^A]..]^.]..^^.]..c^.^..e^&^..f^*^..g^-^..h^C^..i^]^..j^n^..k^o^..l^.^..m^.^..p^.^

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\pt-PT.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):141510
                                                                                            Entropy (8bit):5.387039490844644
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:mMkJ686+k89HwqsQX3rRK0ZY/5MQ4zwdQxz2qKHA6XLLaH563sn:mK8vsQX3rwrMQiF6naH563sn
                                                                                            MD5:F7A822E3DEDAA3DF046C3172613E275D
                                                                                            SHA1:14C21D2CC296197A9A618F21DC103F0D6749B77F
                                                                                            SHA-256:E2E84E23275190865C685E0712530245E35DC63FF82C4E854068494192917F3E
                                                                                            SHA-512:0D08FEDB423E9EA4F9CA54B55FCB6A88C4F4AA7ED71897B4A7625F093E8DC05733EC52E4577709DD4E4C7BE001770E1DC85C0E10E0DAD883F3291C515736B7C1
                                                                                            Malicious:false
                                                                                            Preview:........d.%.j..H..k..I..l..I..n. I..o.%I..p.2I..r.8I..s.II..t.RI..v.gI..w.tI..y.zI..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....*J....?J....GJ....YJ....[J...._J....eJ....sJ....}J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K....'K....ZK....xK..*..K..+..K..,..K../..K..0..K..1..K..2..L..3..L..4.3L..5.WL..6..L..7..L..>..L..?..L..N..L..g..L..i..L..j..L..k..M..l..M...].M...]1M...]NM...].M...].M...].M...].N...]+N...]pN...].N...].O...].O...].O...].O...^.O...^.O...^.O...^+P...^.P...^.P...^.P...^.P...^.Q...^(Q...^1Q...^GQ...^gQ...^tQ...^.Q...^.Q...^.R...^9R...^HR...^VR...^nR..'^uR..(^.R..)^.R..+^.R..,^.S..-^ S...^.S../^8S..0^[S..1^.S..2^.T..3^pT..4^.T..5^.U..6^.U..7^<U..:^XU..;^.V..<^.V..=^.V..>^.W..@^GW..A^.W..B^)X..C^EX..D^]X..E^.X..F^.Y..G^.Z..H^.Z..I^.Z..K^.[..M^.[..N^.[..O^'[..P^6[..Q^m[..V^.[..W^.[..X^Y\..Y^.\..Z^.\..[^.\..\^4]..]^x]..^^.]..c^.^..d^.^..e^ ^..f^$^..g^'^..h^?^..i^[^..j^l^..k^m^..l^~^..m^.^

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\ro.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):144693
                                                                                            Entropy (8bit):5.433783046509505
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:uo28bUMKGVSwPku93pk6k3aveNmlodyVw9HHDv2QJwwpsPlJtWTXh6jYf9KHD8EG:uX8IUS+kA3ppya2N/Hr2hPGXh6HuvfJ5
                                                                                            MD5:5F6AF740E111066BA5245A7FB58C3D38
                                                                                            SHA1:BB09D9F89EC6E1DB0A45CD15F84930DC34011B16
                                                                                            SHA-256:B9FEE8754A5307751F197D1968DD02E163DBA30F09A36C72F88B63B4EE5BCD26
                                                                                            SHA-512:D2C74477BFA01E8B5B51FBB4393368DC967BE362833CC2AC61FC989F41896F17B957D10C0E03B442FBA1F3D6059637F355DD6E537E6E00C382EAACFC1B5D64E2
                                                                                            Malicious:false
                                                                                            Preview:........O.:.j..H..k..H..l..H..n..H..o..H..p..I..r..I..s..I..t.(I..v.=I..w.JI..y.PI..z._I..|.eI..}.wI.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J...."J....4J....6J....:J....CJ....NJ....]J....oJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K....PK....nK..*.zK..+.}K..,..K../..K..0..K..1..K..2..L..3..L..4.*L..5.JL..6..L..7..L..>..L..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].L...] M...]9M...].M...].M...].M...].N...]%N...]eN...]xN...].O...].O...].O...].O...^.O...^.O...^.P...^NP...^.P...^.Q...^.Q...^0Q...^FQ...^{Q...^.Q...^.Q...^.Q...^.Q...^.Q...^.Q...^(R...^PR...^`R...^nR...^.R..'^.R..(^.R..)^.R..+^.R..,^.S..-^)S...^?S../^GS..0^_S..1^.S..2^.T..3^gT..4^.T..5^.T..6^.U..7^ U..:^7U..;^.U..<^`V..=^pV..>^.V..@^.V..A^/W..B^.W..C^.W..D^.W..E^.W..F^ZY..G^.Z..H^.Z..I^.Z..M^.[..N^.[..O^ [..P^/[..Q^Y[..V^.[..W^.[..X^5\..Y^P\..Z^`\..[^.\..\^.\..]^0]..^^.]..c^.]..e^.]..f^.]..g^.]..h^.]..i^.]..j^.^..k^.^..l^.^..m^.^..p^-^..q^U^

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\ru.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):230803
                                                                                            Entropy (8bit):4.880792707330682
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:KYbEaX+n/uRHC4Hjn+T52wdOrst488QgIv7RX9oyMUZQLv9IMTYDdVxfA:zEaX+n/uRHC4Hjn+T52wdOrst488QgIK
                                                                                            MD5:822750AB24D9EF1A54F3D987EEE1ACB5
                                                                                            SHA1:DC99948CFD029CC9D98C10E487625832DB8F1855
                                                                                            SHA-256:3906F069E6E2A3A0235826E9382624E7A4CFBA309F00BBD0963FF0C9F2C179FA
                                                                                            SHA-512:B0D9521E088C80470E5D15E310BF7E3E27B16464C5349F2BD6F29A78E7FDC7DA36B3B1BEE68E4496585B0E2F20098FA6B0B3360C4B43F2ED9718D292755F5BE4
                                                                                            Malicious:false
                                                                                            Preview:........,.].j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..H..t..H..v..H..w..I..y..I..z..I..|..I..}.1I....9I....>I....FI....NI....VI....]I....dI....kI....lI....mI.....I.....I.....I.....J....!J....HJ....JJ....NJ....ZJ....sJ.....J.....J.....J.....J.....K.....K.....K.....K...."K....6K....NK....\K....qK.....K.....K.....K.....K....'L..*.8L..+.;L..,.YL../.vL..0..L..1..L..2..L..3..M..4.AM..5.xM..6..M..7..N..>.:N..?.IN..N.hN..g.xN..i.{N..j..N..k..N..l..N...].N...].N...].O...].P...].P...]lP...].P...].P...].Q...]1Q...]%U...]NU...]\U...]jU...^~U...^.U...^.U...^.V...^.V...^(W...^4W...^.W...^.W...^.W...^.W...^.X...^)X...^?X...^.X...^.X...^WY...^.Y...^.Y...^.Y...^.Y..'^.Y..(^.Z..)^3Z..+^.Z..,^.Z..-^.Z../^.[..0^6[..1^u[..2^~\..3^#]..4^.]..5^.]..6^4^..7^N^..:^.^..;^._..<^.`..=^.`..>^.`..@^Oa..A^+b..B^rc..C^.c..D^.c..E^.c..F^.g..G^Ci..H^.j..I^.k..M^Fk..N^[k..O^.k..P^.k..Q^.k..V^nl..W^.l..X^Nm..Y^um..Z^.m..[^.m..\^zn..]^.n..^^to..c^.o..e^.o..f^.o..g^.o..h^.p..i^6p..j^ep..k^fp..l^.p..m^.p..p^.p..q^.q..r^Sq

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\sk.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):149684
                                                                                            Entropy (8bit):5.76737201509727
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:AECQqENgyHHraQUjZLF1qkM+zBHCYWGrG45Pa:0gNnHraQUjZL7GJ
                                                                                            MD5:7CEDCF98E68F4001CC13F2B761571681
                                                                                            SHA1:FBA32C46564452FEE5697777B6D3C60D69589528
                                                                                            SHA-256:E6509F7A6C6B9912F2875C7EFA34434AB9562DF3CDCAF0546B6370D594CA46FB
                                                                                            SHA-512:C90CA580C5DA2FFF68B5957940D9B2C377CB07632B1FC0C8A23FEF9A076CD05DA618890F197F5B2F7314583FBA89BE083AD180335201D28C27A7C8C21A55C72C
                                                                                            Malicious:false
                                                                                            Preview:........a.(.j..H..k..I..l..I..n..I..o..I..p.,I..r.2I..s.CI..t.LI..v.aI..w.nI..y.tI..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....'J....9J....NJ....cJ....eJ....iJ....oJ....zJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K....#K....*K....cK....}K..*..K..+..K..,..K../..K..0..K..1..K..2..L..3..L..4.6L..5.UL..6..L..7..L..>..L..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].M...]/M...]OM...].M...].N...]4N...]HN...]^N...].N...].N...][P...]mP...]uP...]{P...^.P...^.P...^.P...^.P...^|Q...^.Q...^.Q...^.Q...^.Q...^.R...^.R...^&R...^RR...^fR...^.R...^.R...^.R...^.S...^0S...^=S...^PS..'^XS..(^gS..)^uS..+^.S..,^.S..-^.S...^.T../^.T..0^%T..1^TT..2^.T..3^:U..4^.U..5^.U..6^.U..7^.U..:^.V..;^.V..<^^W..=^mW..>^.W..@^.W..A^=X..B^.X..C^.Y..D^.Y..E^3Y..F^.[..G^.\..H^.\..I^,]..K^M]..M^U]..N^d]..O^m]..P^~]..Q^.]..V^.^..W^8^..X^.^..Y^.^..Z^.^..[^.^..\^V_..]^._..^^._..c^.`..d^.`..e^#`..f^)`..g^,`..h^?`..i^V`..j^o`..k^p`..l^.`..m^.`..p^.`

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\sl.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):142373
                                                                                            Entropy (8bit):5.450298547452688
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:DHw4EXovSNw1uW34rKKGxIqTCOXi/fzszZvqu:zw4zSu3lKGxIUi/fzsNvqu
                                                                                            MD5:C08D0D08FD48822C603A27AAAD4E9557
                                                                                            SHA1:8B7D616EF86BD955CBDF68197CDF748AAF99240A
                                                                                            SHA-256:EF205CF8911A96D772711675E75BC8DF5866CE0D9D44EBB110BC07E4F340FF65
                                                                                            SHA-512:480A23A25860616BE8844CE29042FA15CC7F360E2C53B367F6701926B9A6DF72D82AD6C5DC7C0FAFD537202D4EA7C44DFE24589FB4A4F52B4440629865F8C19E
                                                                                            Malicious:false
                                                                                            Preview:........S.6.j..H..k..H..l..H..n..H..o..I..p..I..r..I..s.'I..t.0I..v.EI..w.RI..y.XI..z.gI..|.mI..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....'J....:J....<J....@J....JJ....UJ...._J....rJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J....(K....CK..*.OK..+.RK..,.pK../..K..0..K..1..K..2..K..3..K..4..L..5..L..6.VL..7.nL..>..L..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].L...].L...].M...].M...].M...].M...].M...].N...]?N...]NN...]9P...]LP...]SP...]hP...^.P...^.P...^.P...^.P...^|Q...^.Q...^.Q...^.Q...^.Q...^.R...^.R...^4R...^TR...^{R...^.R...^.R...^.S...^"S...^+S...^GS..'^MS..(^fS..)^tS..+^.S..,^.S..-^.S...^.T../^.T..0^+T..1^OT..2^.T..3^+U..4^.U..5^.U..6^.U..7^.U..:^.U..;^cV..<^.V..=^.W..>^%W..@^XW..A^.W..B^.X..C^.X..D^.X..E^.X..F^.[..G^.\..H^.]..I^.]..K^.]..M^.]..N^.^..O^.^..P^.^..Q^?^..V^.^..W^.^..X^.^..Y^._..Z^#_..[^]_..\^._..]^._..^^=`..c^]`..d^c`..e^j`..f^o`..g^s`..h^.`..i^.`..j^.`..k^.`..l^.`..m^.`..p^.`

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\sr.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):218369
                                                                                            Entropy (8bit):4.821449441901466
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:RgAswQLHL49joFDq949M6oG3LFYJvajlw+f1SyTxSWXD437eV7thBn0yhtKlQJ+O:hoDT9M6ia+6Sws37ezn5tEffJ/k/ZD
                                                                                            MD5:7CFB6DD166594DF07BCCB7C08774A667
                                                                                            SHA1:1C06A8ADB81C357909ADE0307A67A122C94C0CB7
                                                                                            SHA-256:C3B5C6965AFFB7F30DCDB5FDB485767E83F3B5D694865A677783C64E3B84934D
                                                                                            SHA-512:92FEBE5A65C90F105BD7609E2EFF2626BF0E22B186D73D6C1AEB0497E49D9C34B2BB22D26E0ABDE4713DA2C7CF51296723694EE9BC1DECC5071A5225F60E650C
                                                                                            Malicious:false
                                                                                            Preview:........b.'.j..H..k..I..l..I..n..I..o.!I..p..I..r.4I..s.EI..t.NI..v.cI..w.pI..y.vI..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I....(J....RJ....uJ.....J.....J.....J.....J.....J.....J.....K....)K....JK....mK.....K.....K.....K.....K.....K.....K.....K.....K.....K.....L.....L...."L....2L.....L.....L..*..L..+..L..,..L../..M..0. M..1..M..2..M..3..M..4..M..5..N..6..N..7..N..>..N..?..N..N..O..g.&O..i.)O..j.-O..k.2O..l.@O...]EO...].O...].O...].P...].P...],Q...]JQ...]rQ...].Q...].Q...].T...].T...].T...].T...^.U...^.U...^HU...^.U...^.V...^.V...^.W...^TW...^sW...^.W...^.W...^.W...^1X...^HX...^.X...^.X...^VY...^.Y...^.Y...^.Y...^.Y..'^.Z..(^;Z..)^XZ..+^.Z..,^$[..-^H[...^o[../^{[..0^.[..1^.[..2^.\..3^L]..4^.]..5^.^..6^L^..7^e^..:^.^..;^J_..<^U`..=^n`..>^.`..@^.`..A^.a..B^.b..C^.b..D^.c..E^?c..F^hf..G^.g..H^.i..I^|i..K^.i..M^.i..N^.i..O^.i..P^.j..Q^>j..V^.j..W^.j..X^.k..Y^.k..Z^.k..[^-l..\^.l..]^;m..^^.m..c^.m..d^.m..e^.n..f^.n..g^#n..h^Ln..i^rn..j^.n..k^.n..l^.n..m^.n

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\sv.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):130451
                                                                                            Entropy (8bit):5.4960426005543
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:UzBxJg5kf9KPmp1sWZtgKqrAuxHcShbCeSAOb1+XWk8B:UzPJB9vpWObV
                                                                                            MD5:B4D3AB3791E862711986BB585C1676FC
                                                                                            SHA1:2123C8879A70728657E72415D7056AAC4A1527E2
                                                                                            SHA-256:080CE56662A0A32A4164BA88F9C5081D7C43DC1908412368A70E789E1ADCBF66
                                                                                            SHA-512:B904F1741079A8C7ED7647EFE42E9D7B9BE403079DE7E512539B70BC653E55420A3ACA4B599E8A9D440245A61F94124476B3A5AFA43B39FF1AA48CB48FC5C15D
                                                                                            Malicious:false
                                                                                            Preview:........S.6.j..H..k..H..l..H..n..H..o..I..p..I..r..I..s.'I..t.0I..v.EI..w.RI..y.XI..z.gI..|.mI..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....'J....;J....=J....AJ....GJ....NJ....VJ....dJ....qJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K..*.'K..+.*K..,.HK../.TK..0.nK..1..K..2..K..3..K..4..K..5..K..6.#L..7.5L..>.EL..?.NL..N.^L..g.jL..i.mL..j.qL..k.vL..l.{L...].L...].L...].L...]gM...]nM...].M...].M...].M...].M...].M...].N...].N...].N...].N...^.N...^.O...^DO...^tO...^.O...^.P...^.P...^BP...^JP...^\P...^eP...^uP...^.P...^.P...^.P...^.P...^4Q...^WQ...^fQ...^nQ...^.Q..'^.Q..(^.Q..)^.Q..+^.Q..,^.R..-^$R...^0R../^5R..0^SR..1^.R..2^.R..3^GS..4^.S..5^.S..6^.S..7^.T..:^%T..;^.T..<^NU..=^`U..>^oU..@^.U..A^.V..B^kV..C^tV..D^.V..E^.V..F^.W..G^.X..H^.X..I^.X..K^.X..M^.X..N^.X..O^.Y..P^.Y..Q^9Y..V^.Y..W^.Y..X^.Z..Y^.Z..Z^-Z..[^SZ..\^.Z..]^.Z..^^4[..c^[[..d^d[..e^m[..f^s[..g^v[..h^.[..i^.[..j^.[..k^.[..l^.[..m^.[

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\sw.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):137154
                                                                                            Entropy (8bit):5.302768584935173
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:fatfGmt5JXHIYC9tUDiGyp0jcHZPXQtVPGqLej+hKfHw8L:5mt5stUDiGGHyWj+hKfHw8L
                                                                                            MD5:A5F4010DE863114025B898D78036B336
                                                                                            SHA1:0FA93FEE8F60D1BF2FEC4E01C5306404E831E94C
                                                                                            SHA-256:8C58ADBFF7D672154C6F399EA29B549005460D80679E1F6CF997D95732857C30
                                                                                            SHA-512:7F8B00AE7718F39C0AB91F3F63A3B5062D9878F224417282C3FF43AE9C88562A045C54F7C6F9F7447119A16BFD0EC40B48F762A52B64BC384EC80F53898C53C8
                                                                                            Malicious:false
                                                                                            Preview:........Y.0.j..H..k..H..l..I..n..I..o..I..p..I..r."I..s.3I..t.<I..v.QI..w.^I..y.dI..z.sI..|.yI..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J....!J....-J....DJ....FJ....JJ....PJ....]J....oJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K....<K....\K..*.gK..+.jK..,..K../..K..0..K..1..K..2..K..3..L..4..L..5.:L..6.rL..7..L..>..L..?..L..N..L..g..L..i..L..j..L..k..L..l..L...].L...]!M...]GM...].M...].M...].N...]"N...]oN...].N...].O...].O...].O...].O...^.O...^.O...^.P...^BP...^.P...^.P...^.P...^.Q...^.Q...^cQ...^jQ...^.Q...^.Q...^.Q...^.Q...^.R...^\R...^.R...^.R...^.R...^.R..'^.R..(^.R..)^.R..+^AS..,^sS..-^.S...^.S../^.S..0^.S..1^.S..2^FT..3^.T..4^8U..5^OU..6^.U..7^.U..:^.U..;^IV..<^.W..=^.W..>^0W..@^eW..A^.W..B^8X..C^IX..D^\X..E^.X..F^.Y..G^.Z..H^{Z..I^.Z..K^.Z..M^.Z..N^.Z..O^.[..P^.[..Q^*[..V^w[..W^.[..X^.\..Y^.\..Z^/\..[^]\..\^.\..]^.]..^^R]..c^u]..e^.]..f^.]..g^.]..h^.]..i^.]..j^.]..k^.]..l^.]..m^.]..p^.^..q^1^

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\ta.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):343860
                                                                                            Entropy (8bit):4.111194560758072
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:mCPn9VrlyrrEia8QyMwQw+z0vtNiE2k4ca6QVW640akLJXj1oQyz2PtRtBWQmdag:mCPn9TGDG0vgtRxcA27
                                                                                            MD5:AB1ECE31AFE29124D183B3826C7EF291
                                                                                            SHA1:E707A983F039310B867BF4B502165F1F512B9818
                                                                                            SHA-256:5CABDECD2A89BD97782C13D9F5B24550EA00B28750CDB26A7843AF7E75E34B22
                                                                                            SHA-512:6510D54C2DD177BE19CA6B250E936FE0E26036AEE7BD1D48E141CFFDE743FE03A02BE0CEE22642C3E8A702B2277D7BF307BDE69A863855BC65A55425A1F2F884
                                                                                            Malicious:false
                                                                                            Preview:........=.L.j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..H..t..I..v..I..w.&I..y.,I..z.;I..|.AI..}.SI....[I....`I....hI....pI....xI.....I.....I.....I.....I.....I....)J....WJ.....J.....J.....J....5K....7K....;K....YK....xK.....K.....K.....L....ML.....L.....L.....L.....L.....L.....L.....L.....L.....L....?M....WM....|M.....N....LN..*.pN..+.sN..,..N../..N..0..N..1.wO..2..O..3..O..4.!P..5..P..6.DQ..7..Q..>..Q..?..Q..N.*R..g.CR..i.FR..j.JR..k.OR..l.]R...]bR...].R...].S...].T...].T...]SU...].U...].U...].V...].V...].Y...].Y...].Y...].Y...^$Z...^BZ...^.Z...^"[...^y\...^.\...^.\...^X]...^w]...^.]...^.]...^.^...^A^...^n^...^._...^G_...^-`...^.`...^.`...^.`...^.a..'^.a..(^Na..)^sa..+^Ab..,^.b..-^.b...^.c../^"c..0^.c..1^.d..2^.e..3^.f..4^.g..5^/h..6^.h..7^.i..:^Ni..;^.j..<^.l..=^.l..>^@m..@^.m..A^Do..B^Fp..C^.p..D^.p..E^iq..F^.s..G^0u..H^>v..I^>w..K^.w..M^.w..N^.w..O^.w..P^$x..Q^.x..V^by..W^.y..X^.z..Y^.{..Z^o{..[^.{..\^ }..]^.}..^^.~..c^I...d^s...e^....f^....g^....h^....i^/...j^f...k^g...l^....m^..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\te.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):319550
                                                                                            Entropy (8bit):4.328155937035043
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:U7yoDguApFTaJAhJRt7bDDu3+l/gFipPJiTWFGvqdWVuVyJs4CoWfxM9SwTQTwdD:UjguApFTaJAhJRt7bDDu3+l/gFipPJiV
                                                                                            MD5:42384786FDE254178D9855FCA1D88624
                                                                                            SHA1:3ADC71526BEB093A67B48C16FD59F277BF8C683F
                                                                                            SHA-256:75764AFEEFEF5120539C4D95C56F1BF6A5FA7F36752D6CB6E480FB923B95A39F
                                                                                            SHA-512:B8813764DD602178AE72A5B8537A1B5A2F9BF025F695C4C5906AFE29DABF5031BE6C2255B175481144A8900A7AB7ECB3FC7C8BB49F123BB7B30DE8F0711F6A94
                                                                                            Malicious:false
                                                                                            Preview:........R.7.j..H..k..H..l..H..n..H..o..I..p..I..r..I..s.%I..t..I..v.CI..w.PI..y.VI..z.eI..|.kI..}.}I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I....9J....pJ.....J.....J.....J....HK....JK....VK....rK.....K.....K.....K.....L....9L....rL....yL....|L....~L.....L.....L.....L.....M.....M....DM....YM....tM.....N....QN..*.xN..+.{N..,..N../..N..0..N..1..O..2..O..3..O..4..P..5.jP..6..P..7..Q..>.{Q..?..Q..N..Q..g..Q..i..Q..j..Q..k..Q..l..R...].R...].R...].R...].T...].T...].T...]CU...].U...]3V...]hV...]=X...]bX...]nX...].X...^.X...^.X...^KY...^.Y...^.[...^g[...^.[...^.[...^.\...^.\...^.\...^.\...^=]...^g]...^.^...^h^...^:_...^._...^._...^._...^.`..'^6`..(^r`..)^.`..+^ia..,^.a..-^.a...^=b../^[b..0^.b..1^.c..2^$d..3^0e..4^Yf..5^.f..6^.f..7^.g..:^cg..;^.i..<^.k..=^2k..>^.k..@^.l..A^\m..B^6n..C^rn..D^.n..E^.o..F^Gq..G^2r..H^.s..I^.s..K^>t..M^`t..N^.t..O^.t..P^.t..Q^Cu..V^.v..W^.v..X^.w..Y^.w..Z^,x..[^.x..\^{y..]^4z..^^.{..c^T{..d^u{..e^.{..f^.{..g^.{..h^.|..i^M|..j^.|..k^.|..l^.|..m^.|

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\th.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):271715
                                                                                            Entropy (8bit):4.372687693843707
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:k8bxaCJFkcSCkIOArCSGHIqXqWmh+OqeZK8QyYoHw1pZZpUR+5aQoFvktdIpDKIs:NbxasFkcSCkIOArCSGHIqXqWmh+OqeZ4
                                                                                            MD5:5ABD2A1B2749449A0CBBA60E32393F4F
                                                                                            SHA1:31097BF4728F752508482C298710CFFECFB78D60
                                                                                            SHA-256:C666359FC9FA137F6D7F868CCEF01DAC8701B457BB6BB51FCD581185D4BC8780
                                                                                            SHA-512:094DF53F3BAC23EB384015E8F2500484556B6EBDA0CB62BC12A773DD1D520D82C13CBAD25EEB67FA04CEB209D80144FAC70FE60EB792CFC1A0C5027513B7448F
                                                                                            Malicious:false
                                                                                            Preview:..........v.j.\H..k.kH..l.qH..o.yH..p..H..r..H..s..H..t..H..v..H..w..H..y..H..z..H..|..H..}..H.....H.....I.....I.....I.....I...."I....*I....1I....8I....?I....AI.....I.....I.....I.....J....=J.....J.....J.....J.....J.....J.....J.....K....'K....DK....aK....hK....kK.....K.....K.....K.....K.....K.....K.....L.....L.....L.....L..*..L..+..L..,..M../.0M..0.CM..1..M..2..M..3..N..4.IN..5..N..6..O..7.=O..>.vO..?..O..N..O..g..O..i..O..j..O..k..O..l..O...].P...]`P...].P...].Q...].Q...].R...];R...].R...].R...].T...].U...].U...]5U...^VU...^tU...^.U...^.V...^4W...^pW...^.W...^.W...^.W...^$X...^3X...^WX...^.X...^.X...^MY...^.Y...^DZ...^~Z...^.Z...^.Z...^.[..'^-[..(^T[..)^r[..+^.\..,^Z\..-^.\...^.\../^.\..0^.\..1^;]..2^9^..3^^_..4^.`..5^.`..6^.a..7^&a..:^Ya..;^.b..<^Jd..=^dd..>^.d..@^.e..A^.e..B^.f..C^.f..D^.f..E^7g..F^.i..G^.j..H^~k..I^.k..K^Jl..M^\l..N^nl..O^.l..P^.l..Q^.l..V^wm..W^.m..X^.n..Y^.n..Z^.n..[^>o..\^.p..]^.p..^^gq..c^.q..e^.q..f^.q..g^.q..h^.r..i^Xr..j^yr..k^zr..l^.r..m^.r..p^.r..q^.s..r^*s

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\tr.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):138883
                                                                                            Entropy (8bit):5.595652021278339
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:h+ceHcXCPitGJmAMvCsPnnNtOLlh74OfkiO8ru0j19S4jidDhdaMEiZOYuZwi1Pi:4RHLJmAGvduMEIGwiB1ln6
                                                                                            MD5:08B737A1B8ECB81C8EF4D7B8F6B5F503
                                                                                            SHA1:99D2CDBB720F114051627ACBB79475CCC57CE6A6
                                                                                            SHA-256:84F08423FC516988761517511D36BF5D3428866965ADDBF3EF4399A80F8278E8
                                                                                            SHA-512:142C61F08E56A084F335DCF35C543DAB872DEE898C719052FB8D42BE2050C5FE6D9245180FF9D0D0E07CD884DAAAFFA6CCB5428FEE91AE00413E0EA38A5E8C9C
                                                                                            Malicious:false
                                                                                            Preview:........f.#.j..I..k..I..l..I..n.$I..o.)I..p.6I..r.<I..s.MI..t.VI..v.kI..w.xI..y.~I..z..I..|..I..}..I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J....4J....JJ...._J....sJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K.....K.....K.....K....!K....,K....1K....9K....HK....LK....RK.....K.....K..*..K..+..K..,..K../..K..0..K..1..L..2..L..3.-L..4.CL..5.fL..6..L..7..L..>..L..?..L..N..L..g..M..i..M..j..M..k..M..l..M...] M...]JM...]tM...].N...]'N...]EN...]YN...]pN...].N...].N...].O...].O...].O...].O...^.O...^.O...^'P...^YP...^.P...^'Q...^3Q...^eQ...^uQ...^.Q...^.Q...^.Q...^.Q...^.Q...^.R...^3R...^wR...^.R...^.R...^.R...^.R..'^.R..(^.R..)^.R..+^?S..,^eS..-^tS...^.S../^.S..0^.S..1^.S..2^?T..4^.T..5^.T..6^.T..7^.T..:^.U..;^.U..<^cV..=^tV..>^.V..@^.V..A^;W..B^.W..C^.W..D^.W..E^.W..F^"Y..G^.Y..H^.Y..I^0Z..K^OZ..M^UZ..N^fZ..O^oZ..P^}Z..Q^.Z..V^.Z..W^.[..X^t[..Y^.[..Z^.[..[^.[..\^F\..]^.\..^^.\..c^.]..d^.]..e^.]..f^.]..g^.]..h^1]..i^F]..j^e]..k^f]..l^v]..m^y]..p^.]

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\uk.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):233231
                                                                                            Entropy (8bit):4.921486764568706
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:dQc1JbB3IjU/zDFjqCKTASYsjFzzPlIGgxLNiXEMQOCqPiqrEb4US/a0h:dQc1JbB3IjU/0TFdzcLNiXEoCqPiqVaU
                                                                                            MD5:8162EC467AC9A8DAC71D22C630A3E6A3
                                                                                            SHA1:4E9E8F49CBCC5E583B8ACC3A65FFD87818C96E2A
                                                                                            SHA-256:D1E07AC8B6A6CE53F06C66241D44407F98A1940259883E143A574F28A2AC170F
                                                                                            SHA-512:E944E3F8F3E9B2C8C6F26E1A7606E441816406AFE031BAC9A5716CE060A63F03E01A95CC365342518629065B07FC72CF23D65AC84F0B58EF100CF9706A239B58
                                                                                            Malicious:false
                                                                                            Preview:........N.;.j..H..k..H..l..H..n..H..o..H..p..I..r..I..s..I..t.&I..v.;I..w.HI..y.NI..z.]I..|.cI..}.uI....}I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J....4J....MJ....wJ.....J.....J.....J.....J.....J.....K....#K....FK....oK.....K.....K.....K.....K.....K.....K.....K.....K.....K.....L....'L....1L....CL.....L.....L..*..L..+..L..,..L../.:M..0.LM..1..M..2..M..3..M..4. N..5.ON..6..N..7..N..>..N..?..O..N.'O..g.3O..i.6O..j.:O..k.AO..l.MO...]RO...].O...].O...].Q...].Q...]cQ...].Q...].Q...].R...];R...].U...].U...].U...].U...^.V...^%V...^IV...^.V...^.W...^.W...^.W...^EX...^`X...^.X...^.X...^.X...^.X...^.X...^[Y...^}Y...^.Y...^.Z...^3Z...^CZ...^`Z..'^pZ..(^.Z..)^.Z..+^/[..,^y[..-^.[...^.[../^.[..1^.[..2^.\..3^W]..4^.^..5^Y^..6^.^..7^.^..:^._..;^._..<^.a..=^7a..>^[a..@^.a..A^.b..B^)d..C^6d..D^Md..E^.d..F^.h..G^.j..H^0l..I^.l..K^.l..M^.l..N^.l..O^.m..P^"m..Q^bm..V^.m..W^/n..X^.n..Y^.n..Z^&o..[^.o..\^*p..]^.p..^^.q..c^qq..e^.q..f^.q..g^.q..h^.q..i^.q..j^)r..k^*r..l^Er..m^Hr..p^nr..q^.r

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\ur.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):204639
                                                                                            Entropy (8bit):5.2007888153256445
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:9WEBWVxEJGbAZ1PRXS3cBEQYryfng7Ha10unBSco/9NjjFpv2W3nW/I:cFxEAOPWciQYryWu0co/9NjjFpvpWQ
                                                                                            MD5:30CE113BC3C466751BDF8D50CC568FF8
                                                                                            SHA1:D0B434B8F196A320995F49845D64054DCAEDB97F
                                                                                            SHA-256:34D46D28AF3012BB84767A418957F12D877789B88A13EA29B047C7926ABAFB41
                                                                                            SHA-512:A8139D60E498082C122B068A478038E3D3A7D6FA71BB8CD2B1BD7976827FFC23F7117F989B18D600960B222178351F01DBFA0FCDC3E7F0917CD0D47B5902FB44
                                                                                            Malicious:false
                                                                                            Preview:........@.I.j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..I..t..I..v..I..w.,I..y.2I..z.AI..|.GI..}.YI....aI....fI....nI....vI....~I.....I.....I.....I.....I.....I.....J....#J....=J....[J....eJ.....J.....J.....J.....J.....J.....J.....J.....J.....K....8K....?K....BK....CK....VK....eK....vK.....K.....K.....K.....K.....K....%L....SL..*.dL..+.gL..,..L../..L..0..L..1..M..2. M..3.<M..4.iM..5..M..6..M..7.#N..>.^N..?.kN..N..N..g..N..i..N..j..N..k..N..l..N...].N...].N...]2O...]\P...]mP...].P...].P...].P...]BQ...]ZQ...].R...].R...].R...].S...^.S...^<S...^oS...^.S...^.T...^.T...^.T...^'U...^8U...^XU...^kU...^.U...^.U...^.U...^GV...^qV...^.V...^!W...^:W...^MW...^\W..'^oW..(^.W..)^.W..+^.X..,^oX..-^.X...^.X../^.X..0^.X..1^%Y..2^.Y..3^.Z..4^f[..5^.[..6^.[..7^.[..:^.\..;^.]..<^[^..=^v^..>^.^..@^.^..A^._..B^.`..C^.`..D^.`..E^.`..F^_b..G^:c..H^.c..I^Od..K^.d..M^.d..N^.d..O^.d..P^.d..Q^.e..V^.e..W^.e..X^sf..Y^.f..Z^.f..[^.f..\^.g..]^Ih..^^.h..c^.i..d^%i..e^8i..f^>i..g^Di..h^ui..i^.i..j^.i..k^.i..l^.i..m^.i

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\vi.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):165529
                                                                                            Entropy (8bit):5.759272509515678
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:VFG1hKMPn2ZPiz+sJoO4294sN+U2cSKQa1bwNgqnziL8LEEpW8LTtdLpFeS+pyD6:rG1/xzosN+U2obMXzigLR/L2
                                                                                            MD5:247E8CFC494FD37D086DB9A747991ABC
                                                                                            SHA1:BDC53C042A1C4BC2EBED6781B1B01091C8FB7A92
                                                                                            SHA-256:4C4E69AF3D7F7012E3CB19BA386FC69EDD0C87CCD9BE326DD6DB902401D123F3
                                                                                            SHA-512:852DDEB1CE8DBF13280E9DFA72DD10B646F8B06CAF88055AEAB32009F3FDC397A05764BE48A04730E16F23C931D069880574D8BF9C7F4EF151E1D47467A7D60D
                                                                                            Malicious:false
                                                                                            Preview:........E.D.j..H..k..H..l..H..n..H..o..H..p..H..r..H..s..I..t..I..v.)I..w.6I..y.<I..z.KI..|.QI..}.cI....kI....pI....xI.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J....6J....8J....<J....FJ....QJ....bJ....xJ.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....J.....K.....K...."K....WK....vK..*..K..+..K..,..K../..K..0..K..1..K..2..L..3..L..4.3L..5.HL..6..L..7..L..>..L..?..L..N..L..g..L..i..M..j..M..k..M..l..M...].M...]JM...]oM...]4N...]=N...]nN...].N...].N...].N...].P...]$P...]4P...]EP...^iP...^tP...^.P...^.P...^.Q...^.Q...^.Q...^.R...^1R...^YR...^eR...^wR...^.R...^.R...^.S...^ES...^.S...^.S...^.S...^.S...^.T..'^.T..(^.T..)^.T..+^.T..,^.T..-^.T...^.T../^.T..0^.T..1^<U..2^.U..3^IV..4^.V..5^.V..6^.W..7^$W..:^<W..;^.W..<^.X..=^.X..>^.Y..@^JY..A^.Y..B^2Z..C^IZ..D^ZZ..E^|Z..F^.[..G^H\..H^.\..I^.]..K^3]..M^8]..N^A]..O^T]..P^^]..Q^.]..V^.]..W^.^..X^.^..Y^.^..Z^.^..[^.^..\^`_..]^._..^^"`..c^L`..d^W`..e^``..f^f`..g^j`..h^.`..i^.`..j^.`..k^.`..l^.`..m^.`..p^.a

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\zh-CN.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):119036
                                                                                            Entropy (8bit):6.661560096138896
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:fwtiYPXW1dGAXHk109nKyOTe1FxWBcJnku9YEQdNlmS:f3YPXiGAXHk109nKyoeXAW22enlmS
                                                                                            MD5:A55307F02A094632CDC278A86897DCB4
                                                                                            SHA1:E5009CB6B96906D0267349E94CE187B4B73F7D76
                                                                                            SHA-256:E8F4CDC11E34FB557148BEAD1EABFE381E9296DD32DF3EEFCFFC1472FB674CEE
                                                                                            SHA-512:1EAF5A14B908EA29833CAF655E81ED62EB197E797AE6842C0CB140BF69168AEC3F79701786B1FDEB1B9AB78A67D4357006294247FC78341DD0EE62BB9BAE6A81
                                                                                            Malicious:false
                                                                                            Preview:..........y.j.VH..k.eH..l.lH..m.tH..o.zH..p..H..r..H..s..H..t..H..v..H..w..H..|..H..}..H.....H.....H.....H.....H.....I.....I.....I.....I....&I....(I....VI...._I....kI....}I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J.....J.....J.....J....!J....'J....-J....7J....AJ....GJ....MJ....zJ.....J..*..J..+..J..,..J../..J..0..J..1..K..2.&K..3.2K..4.GK..5.hK..6..K..7..K..>..K..?..K..N..K..g..K..i..L..j..L..k..L..l..L...].L...]5L...]JL...].L...].L...].L...].L...]%M...]1M...].N...].N...]#N...]/N...^>N...^DN...^bN...^.N...^.N...^.O...^.O...^BO...^NO...^lO...^rO...^~O...^.O...^.O...^.O...^.O...^;P...^hP...^tP...^.P...^.P..'^.P..(^.P..)^.P..+^.Q..,^2Q..-^AQ...^MQ../^SQ..0^bQ..1^.Q..2^.R..3^.R..4^.S..5^.S..6^AS..7^MS..:^_S..;^.S..<^.T..=^.T..>^.T..@^.T..A^JU..B^.U..C^.U..D^.U..E^.U..F^.V..G^4W..H^.W..I^.W..K^.W..M^.W..N^.W..O^.W..P^.W..Q^1X..V^}X..W^.X..X^.X..Y^.Y..Z^0Y..[^kY..\^.Y..]^.Z..^^fZ..c^.Z..d^.Z..e^.Z..f^.Z..g^.Z..h^.Z..i^.Z..j^.Z..k^.Z..l^.Z..m^.[..p^.[..q^V[..r^p[

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\locales\zh-TW.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):118312
                                                                                            Entropy (8bit):6.659894916214185
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:DWsNZGvZ82hdmOXfT/Cs0iXAf/N/9XiPA5QcGoHwTP:CsN0f5f+8Xm/9yLTP
                                                                                            MD5:96620581F25AC84DDD4B9D0CD29B0749
                                                                                            SHA1:6413FAF7B2E31755674F27DE8CDAB0788488526C
                                                                                            SHA-256:2A674D423322D1772E97A627F1E291EFBA5F12B7EFD0F174CDC99D1B1B376988
                                                                                            SHA-512:7FD315CA93B431C59F92D31B803571EFFC5D758A52FC5D2F797A306FA63EA73162AC91805A892479B6940582AADC8903BDEA6BB70168D660D58525BCA4202520
                                                                                            Malicious:false
                                                                                            Preview:..........{.j.RH..k.aH..l.lH..n.tH..o.yH..p..H..r..H..s..H..t..H..v..H..w..H..y..H..z..H..|..H..}..H.....H.....H.....I.....I.....I.....I...."I....$I....\I....eI....qI.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....I.....J.....J.....J.....J....&J....2J....8J....>J....HJ....XJ....^J....dJ.....J.....J..*..J..+..J..,..J../..J..0..J..1..K..2..K..3.:K..4.RK..5.sK..6..K..7..K..>..K..?..K..N..K..g..L..i..L..j..L..k..L..l..L...].L...]FL...]aL...].L...].L...]-M...]<M...]NM...]uM...].M...]LN...]^N...]dN...]pN...^.N...^.N...^.N...^.N...^5O...^\O...^hO...^.O...^.O...^.O...^.O...^.O...^.O...^.O...^:P...^XP...^.P...^.P...^.P...^.P...^.P..'^.P..(^.P..)^.Q..+^`Q..,^.Q..-^.Q...^.Q../^.Q..0^.Q..1^.Q..2^fR..3^.R..4^QS..5^`S..6^.S..7^.S..:^.S..;^/T..<^.T..=^.T..>^.T..@^(U..A^.U..B^.U..C^.V..D^.V..E^'V..F^.V..G^gW..H^.W..I^.W..K^.X..M^.X..N^.X..O^"X..P^.X..Q^dX..V^.X..W^.X..X^!Y..Y^@Y..Z^OY..[^zY..\^.Y..]^!Z..^^cZ..c^.Z..d^.Z..e^.Z..f^.Z..g^.Z..h^.Z..i^.Z..j^.Z..k^.Z..l^.Z..m^.[..p^.[..q^N[

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):581192
                                                                                            Entropy (8bit):6.526392231113294
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:Ssjw3shF+jss1I8CgEWTe5+YMCMGz2MMY5U489wiyaf+QEKZm+jWodEEVksLdS:Ss/5U4RBaf+QEKZm+jWodEECsL0
                                                                                            MD5:47AC9271F98DE480745F7C0D1B0697F6
                                                                                            SHA1:945A58D970F90ECCE247C71529DEDF4AB0FDE06F
                                                                                            SHA-256:2FEBA7BA47871A40D6A7FB6E3BC584D28AF9686F3884C297C3429F257C4ED70D
                                                                                            SHA-512:05ED53B8C2DD1FA9331DF2BDE994B6B5A1DB364EE230AFF6B9EFAE4A047A48EB72CA803A89F7028A7D1C31EFD6BEA782D8BFAA5ECB92606A9E14F471D9F3B099
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T4...U...U...U...'...U...-8..U...U...U..p/...U..p/...U..p/...U..p/...U..p/...U..p/T..U..p/...U..Rich.U..........PE..d...,pd..........." ... .H...D.......3....................................................`A.........................................H..h...."..,...............8:......HN......8.......p...........................@...@............`...............................text....G.......H.................. ..`.rdata..b....`.......L..............@..@.data...P:...@.......(..............@....pdata..8:.......<...F..............@..@.rsrc...............................@..@.reloc..8...........................@..B................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140_1.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):35432
                                                                                            Entropy (8bit):6.590864781276069
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:Ph1vZLEtU/POoKFYEzWf66uW3kCsbRR2R9zyvGM//NEHRN7kfMR9zlN5m:5pqtcPOj6TKzK9z9MNAk49zlO
                                                                                            MD5:BBACA184F20FD7EC28D1877CAE222B4F
                                                                                            SHA1:22FB3367EFE57ACAE8A0EF4D142AEC49102ECC7F
                                                                                            SHA-256:87E7E1F01A6EEC8BE47A70402FDAE0DE8A624686F9EB4D3330BF8200AB8AEFEA
                                                                                            SHA-512:B7AD44BB9E9D275203850850D5B4FF4422E02BE2235447BF3AF54902447265A938F9A909B668B69C72E1BE84BD9F16BA1239085167A3E297AC98DAC905039680
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P.e............................t.......t...........>...t.......t.......t.......t.......t.......Rich............PE..d...YQ............" ... .....&.......................................................%....`A.........................................?..L...<A..x....p.......`.......<..hN...........4..p...........................`3..@............0..8............................text............................... ..`.rdata..2....0......................@..@.data........P......................@....pdata.......`.......2..............@..@.rsrc........p.......6..............@..@.reloc...............:..............@..B................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140_2.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):197192
                                                                                            Entropy (8bit):6.639708780790847
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:tYRRZqoOwZfxWsy0f8FM0YGal4cxFL24T7bMXm1cF9cr70z5ThmdrhtsGGhxY:twfqoIuf8q0Y2QFLjbM2TegdrvGxY
                                                                                            MD5:A9BB1D11785D9219048B0A088E1186E5
                                                                                            SHA1:0E3048D75CE36FE0A1C88857FFE68E94DEBA6277
                                                                                            SHA-256:C47ACF03E26DFCAEBD5C95E3FF2717D28BE11E71539C3BCE5B2732E59464D197
                                                                                            SHA-512:92A71EEDC96AA9DB596D34679159E7493DD17F9BD395F3C1BDBF2B5939F71AC8E3B3E2D76D4D4C459D7EA9B8CE38DE925EAE2404E2686A35F0E82450A865AF86
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......".C.f.-.f.-.f.-...,.d.-.o...j.-...).n.-.....e.-.f.,...-...,.a.-...(.s.-...-.g.-....g.-.../.g.-.Richf.-.........PE..d.....;..........." ... ..................................................................`A................................................X...........................HN...........M..p............................K..@...............P............................text...+........................... ..`.rdata..6...........................@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140_atomic_wait.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):66664
                                                                                            Entropy (8bit):5.683410421031462
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:HHL4+YhCv6vHKOIrHA3X2QLc8Ms9zlpAXF9z6HR:LRPSqOqg3X2QLc81zHAHzWR
                                                                                            MD5:2B6D99EBD745C68082B88AC9797CBABE
                                                                                            SHA1:E7763C25941DB6E0042CF3851994CE6683CCFA87
                                                                                            SHA-256:A2AEFDB61D48AE3506FCFC60FEB5EBA6998F2AC2E4E8B4367979BD768B0E82CA
                                                                                            SHA-512:107D657988B7164862B2896D44C13D851FD70ACAE3CB93E0926568AE526B0AF89DF8B4F25E9841F82D79F51D471EC016E4011587DA7BD994D5DC352D5E799FE7
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z5...T.P.T.P.T.P.&.Q.T.P.,NP.T.P~..Q.T.P~..Q.T.P.T.P{T.P~..Q.T.P~..Q.T.P~..Q.T.P~."P.T.P~..Q.T.PRich.T.P........................PE..d....2............" ... .:...x.......>.......................................@.......[....`A........................................@f..D....k....... ..........P.......hN...0..|...pX..p...........................0W..@............P..H............................text...^9.......:.................. ..`.rdata...$...P...&...>..............@..@.data...........B...d..............@....pdata..P...........................@..@.rsrc........ ......................@..@.reloc..|....0......................@..B................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\msvcp140_codecvt_ids.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):30824
                                                                                            Entropy (8bit):6.844841482505335
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:DvhXafwUh8zWhO+KWWCskji9R9zas/NEHRN7Eq/7R9zkV+e:Dsoi7u9zVAtF9z6v
                                                                                            MD5:0884B235E9F3FCF4D02BE4C02635D136
                                                                                            SHA1:6C2B17020586540B9BBCD7AAAE6D7418FFBA0A33
                                                                                            SHA-256:D5242B4798E724DEABAB17015568A394DAF8A85FCBF9AFCEFDA899C8092542D6
                                                                                            SHA-512:11230FFC6A0B7BFD5462156A9A86550E7A306BFFEA1B7B8DAB768BAFFE4E8CC7E8BA46DF81A460E8825DC294D5B8980BA5D93ED7D29F76976B9A9E9109EE725B
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......%..)a..za..za..z..{c..zh.5zc..z..{b..za..z@..z..{f..z..{c..z..{m..z..{`..z..Yz`..z..{`..zRicha..z................PE..d.....N..........." ... ............P........................................p............`A........................................p(..0....)..P....P.......@.......*..hN...`..,...."..p............................!..@............ ...............................text............................... ..`.rdata..B.... ......................@..@.data........0....... ..............@....pdata.......@......."..............@..@.rsrc........P.......$..............@..@.reloc..,....`.......(..............@..B........................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources.pak

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):5140957
                                                                                            Entropy (8bit):7.996440332543967
                                                                                            Encrypted:true
                                                                                            SSDEEP:98304:NImTwJrWzlxtvH3u1Zl3oPDLh1fa8OlpSerwrAP5WDj6WzOvKIowBL:N7TyKpxtvXbDLhBa5p/krAWnIow1
                                                                                            MD5:EC39E11F63DC76F4E0333158F6479269
                                                                                            SHA1:90B92E03E2C299D241F6E392573EC7643F688197
                                                                                            SHA-256:5066CEAB1B4A8ED5BD24726DD85A1A21DEBB866800A946267AD6A009451C0F0D
                                                                                            SHA-512:68E8A2E1F2E62E71660D9D8C77C3DA86044F79AC24AF0472752BBF13447EC6439DAD938D08CEC1CC5504A15A72B9AAAA1828039656890CCDA7E10F91DAF77D4D
                                                                                            Malicious:false
                                                                                            Preview:............f.j...h..'.....'.....'.....+.....1.....1.....1.....1...0.1...0?:...0.<...0:N...0.P...0.S...0.T...0.]...0.f...0zh...0.n...0Kq...0.s...0@t...0.u...0.v...0@x...0{}...0....0.....0.....0N....0.....0K....0.....07....0K....0.....0....0.....0.....0.....0.....0.....0:....0.....1.....1.....1,....1)!...1.!...1.&...1.:...7.>...7.I...7`J...7^M...7&R...7.[...7f]...7._...7.s...7.x...7.....7.....7=....7.....7....7H....7j....7.....74....7.....7.....7~....7.....7.....7E....7.....7t....7X....7.....7.....7J....7.....7.....7.....7.....7.....7Y ...7.3...7a?...7.l...7Wt...7-....7G....7Z....7.....7.....7....7?....7.....7[....7.....7.....7.....7.....7.....7.....7.....7P....7a....7.....;`....;.....;a....;.....;.....;.....<.....<.....<e....<.....<.....<^....<~....<"....<'%...<M'...<_Y...<0^...<.e...<.f...<2h...<zq...<Ks...<.u...<$|...<.....<{....<.....<.....<.....<....<.....<~....<.....<c....I.....I.....I.....I.....I.....I5....I."...I.&...I.(...I.0...I.6...Ii;...I=E...I.K...Iz^...I.p...I.w...IY|

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\LICENSES.chromium.html

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:HTML document, ASCII text
                                                                                            Category:dropped
                                                                                            Size (bytes):5356598
                                                                                            Entropy (8bit):4.781204754028124
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:FetnBnVncnJnkncnpWQtnwn7n9nJnCnZnGn3eQSnqnBnununFn/nwnJnqnvnOnqo:/PD45W3WSNLbfwVR8mfjF4HSCo/po
                                                                                            MD5:B8F23E85114316383A2902B55D6460BD
                                                                                            SHA1:8D387438080B8B0B7450116CF252B127A46E04F2
                                                                                            SHA-256:5047F9D8B1B24213169DA173E607D9E5242AE2D53246C7660B2D4150A3B1670F
                                                                                            SHA-512:6523549B119557ADD6EFE03408064B443E0DC2CD64DDF480A1C3F675722DCEBDF793C5C1DFA7CA0C320FC9B4D9BD2B12BE5420A668360AEA9AAAC0F02D0CB46F
                                                                                            Malicious:false
                                                                                            Preview: Generated by licenses.py; do not edit. --><!doctype html>.<html>.<head>.<meta charset="utf-8">.<meta name="viewport" content="width=device-width">.<meta name="color-scheme" content="light dark">.<title>Credits</title>.<link rel="stylesheet" href="chrome://resources/css/text_defaults.css">.<link rel="stylesheet" href="chrome://credits/credits.css">.</head>.<body>.<span class="page-title" style="float:left;">Credits</span>.<a id="print-link" href="#" style="float:right;" hidden>Print</a>.<div style="clear:both; overflow:auto;"> Chromium <3s the following projects -->.<div class="product">.<span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span>.<span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span>.<input type="checkbox" hidden id="0">.<label class="show" for="0" tabindex="0"></label>.<div class="licence">.<pre>Copyright(C) 1997,2001 Takuya OOURA (email: ooura@kurims.kyoto-u.ac.jp)..You may us

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\Resources.pri

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):45984
                                                                                            Entropy (8bit):5.500299254618878
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:bFLcJ2unc9wWsuC4CxBUCx1Hs1BzbLAVRLYDzrKbRH+vr9XraDIWhjvJ:BxssTC4CDUCg1JLMYDzrKbRH+vrdraDh
                                                                                            MD5:A54E95F05882B842FF38D0DFE56C608F
                                                                                            SHA1:9228F20811AE38B90F2D4DF777CB48B97425B0AC
                                                                                            SHA-256:EAC4CF6A1BAB2E28D028703B470B03BB55D171AEC6AC197E88458EF73986BEEC
                                                                                            SHA-512:6CFF012E0F0DF8D214D343E378F30A304F0539B492CAF33103A0FE0BF64783726D7B1B8205382CA27C7FC7362C94D77056ED21285C3AD7BCA268A5813621F032
                                                                                            Malicious:false
                                                                                            Preview:mrm_pri2........ ... ...........[mrm_decn_info].................[mrm_pridescex].............P...[mrm_hschemaex] ........0....@..[mrm_res_map2_]..........A......[mrm_dataitem] ..........T..(Z..[mrm_dataitem] ............@...[mrm_dataitem] .................[mrm_dataitem] .................[mrm_decn_info].....................................................................................................................................................................1.0.0...W.H.I.T.E...B.L.A.C.K...............[mrm_pridescex].........P...................................................P...[mrm_hschemaex] .........@..............[def_hnamesx] .............D.......m.s.-.a.p.p.x.:././.T.e.a.m.s./...T.e.a.m.s.............D...........(@...%..................F..0........A.. .%z.....C..0........P..0~.C.....S.. .%{.....S.. !%|.....T.. 3%}.....T.. A%~.....T.. T%......U.. m%....'.U.! x%....0.A." ..:...1.A.# ..;.....A. ..<...6.A.( 5.=...-.A.. ^.>...-.A.. ~.?...-.A.. ..@.../.A.! ..A...-.A.. ..B...4.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\ThirdPartyNotice.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:Unicode text, UTF-8 text, with very long lines (2046), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):428822
                                                                                            Entropy (8bit):5.141739584920708
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:HjmBzNKKure0HkBfcFZW879xhX2myXNH+Z/W13p8:8hBm
                                                                                            MD5:6ADF177E37C04AFEB5C507B0C0A05EBB
                                                                                            SHA1:034C04E0868F37792B6786482316EEBF31B40C47
                                                                                            SHA-256:C0A3D2EDBC9F8965C184633FED2CA1FEAFF25C93372F80A63C80AB2344DBD918
                                                                                            SHA-512:A4F7BF9198A6327A90BA7027E2B41D1B10B48FA34C5857CD11B78BFF377C287669AC9DD933F25AA623405930714EEDD0033497C79DCF305A6F9D7888E2AB20FC
                                                                                            Malicious:false
                                                                                            Preview:THIRD PARTY SOFTWARE NOTICES AND INFORMATION..Do Not Translate or Localize....This software incorporates material from third parties. Microsoft makes certain..open source code available at http://3rdpartysource.microsoft.com, or you may..send a check or money order for US $5.00, including the product name, the open..source component name, and version number, to:....Source Code Compliance Team..Microsoft Corporation..One Microsoft Way..Redmond, WA 98052..USA....Notwithstanding any other terms, you may reverse engineer this software to the..extent required to debug changes to any libraries licensed under the GNU Lesser..General Public License.......(OpenType Sanitizer)..undefined <https://github.com/khaledhosny/ots.git>..Copyright (c) 2009-2017 The OTS Authors. All rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions are..met:.... * Redistributions of source code must retain the above

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\Update.VisualElementsManifest.xml

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):441
                                                                                            Entropy (8bit):5.112830834903654
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:ejHyWc4subuVFWod/NDhkQwYnF4kQwYyVevZs/FhYyVevZ6CB/FP5VevZf/FeXXX:ebvyWW/meZ/evi/evMC3evQdrKQ
                                                                                            MD5:4A061850DC8B7F1187B8F6CA479B8FAB
                                                                                            SHA1:A6A8CDC9A81A3A054E30770C5359A1DAE007E630
                                                                                            SHA-256:556D794A47D829E38DBF430ECD97AC1C9FB778A3294BA252BBB99C9F48FC290E
                                                                                            SHA-512:337F2D53EB31678585534E9E192A777BB812307909165D936EF3CFF8ACB4DFB2294A77781E85D7D61AE17BE0CD8F2703938C9A7023BDF308BBF3613D0D6D050D
                                                                                            Malicious:false
                                                                                            Preview:<Application xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'>.. <VisualElements.. ShowNameOnSquare150x150Logo='on'.. Square150x150Logo='current\resources\assets\windows\TeamsLogo.png'.. Square70x70Logo='current\resources\assets\windows\TeamsLogoSmall.png'.. Square44x44Logo='current\resources\assets\windows\TeamsSquare44x44Logo.png'.. ForegroundText='light'.. BackgroundColor='#41479d'/>..</Application>

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):26788433
                                                                                            Entropy (8bit):5.913416020828915
                                                                                            Encrypted:false
                                                                                            SSDEEP:98304:XtpFS4N2rhuNQDuzwr99cFOpFLtS1KJdyiUFUOUFUH+8uLNNAUugHImUJX+M4Kjk:Xko+9CgpjS0dDymHI1JXXY
                                                                                            MD5:7BA6AFE1B148D09822FF4D4820BEADE8
                                                                                            SHA1:CBC0578E1457B6F3F3DAA8DA3EC8161E061A59F2
                                                                                            SHA-256:2DC052C546E34A034CF93A32603EA4FC5AB89895B9A17D1BF386822184BBFB73
                                                                                            SHA-512:41B250A80CB8D6398DCF2E5C56A8063FD5D297409103584C2EE3CF05BF7B38B00B319DC1A0CF2ABC369BC8A6598FAFBFC545202AD5E43E1BC6EA3EA2C8ACA5A1
                                                                                            Malicious:false
                                                                                            Preview:................{"files":{"assets":{"files":{".gitignore":{"size":10,"offset":"0"},"12x12-available.png":{"size":439,"offset":"10"},"12x12-away.png":{"size":427,"offset":"449"},"12x12-busy.png":{"size":352,"offset":"876"},"12x12-dnd.png":{"size":379,"offset":"1228"},"12x12-reset.png":{"size":325,"offset":"1607"},"20x20-available.png":{"size":384,"offset":"1932"},"20x20-away.png":{"size":374,"offset":"2316"},"20x20-busy.png":{"size":273,"offset":"2690"},"20x20-dnd.png":{"size":337,"offset":"2963"},"arm64":{"files":{"TeamsIconSet.dll":{"size":1518968,"offset":"3300"}}},"audio":{"files":{"bop.mp3":{"size":176768,"offset":"1522268"},"bounce.mp3":{"size":116288,"offset":"1699036"},"bubbles.mp3":{"size":153728,"offset":"1815324"},"bubblesloud.mp3":{"size":520932,"offset":"1969052"},"dripdrop.mp3":{"size":136448,"offset":"2489984"},"eureka.mp3":{"size":242048,"offset":"2626432"},"flutter.mp3":{"size":155648,"offset":"2868480"},"highscore.mp3":{"size":117248,"offset":"3024128"},"meetup_ring.mp

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@microsoft\electron-windows-interactive-notifications\build\Release\InteractiveNotifications.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):126024
                                                                                            Entropy (8bit):7.197395351282949
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:Oqutwq9fhb/yk26dqwQLshkk9bWNdcAoyX9xPj36wr8LSPjC+0I/Iaz3Z33zT:OXwqBhb/yk2Gq+ikVWjdtxbbr8xIPZ3f
                                                                                            MD5:0E00F05CE6EC41E01A993A7D511398A9
                                                                                            SHA1:BC5AC0C0D145868FFC4A796FF6558C7DAD2B33B0
                                                                                            SHA-256:37D0BB1B99B63DDC13029FFB99489F333C5B3AC360C02961BFC4DEA709CB21F9
                                                                                            SHA-512:C95D2E3965BF46653AD530D76FE8B23455FE488C413972F198C390611C28709A9654C968A4A2429E71318190C509B1C2700BFCA79368F1826AFB7565310482C2
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........{..O..OO..OO..O.r.NK..O.r.NV..O.r.NG..O.r.NM..O ~.NI..OFb.O@..OO..O...O.s.NL..O.s.NN..O.stON..O.s.NN..ORichO..O................PE..d....O._.........." ................................................................}.....`A...........................................h...8...........<...............HN......\....^..p....................`..(...._...............................................text...$........................... ..`.rdata..@...........................@..@.data...H...........................@....pdata..............................@..@.rsrc...<...........................@..@.reloc..\...........................@..B................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@microsoft\electron-windows-interactive-notifications\build\Release\notifications_bindings.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):44648
                                                                                            Entropy (8bit):6.712214916246132
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:xpb+d/5mjy53GHrw6yyxeJ7I0bJ6TRxw9zgAM9zl0do:qdBmjyGj0bJUIzgAEzS+
                                                                                            MD5:9AD9449DB3AB4427E552550C2AE79D06
                                                                                            SHA1:DE00AEB4E1EF868BDC00A93996C18AA0762C265F
                                                                                            SHA-256:F851A541DC3A21467CCF7EB766883BB854C5AA3AE390954F473B72DF9F7E6A46
                                                                                            SHA-512:3C84A71333619F656DEE7FDD05AA52568DBFC6F7122E6BC6C12CEB0F6BCD0B6185E2A31B739E3E34339DC4AC2B337179517BE98DA543D652F9C5FF6D1107962A
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q.c...0...0...0.h.0...0n..1...0n..1...0n..1...0.y.1...0n..1...0.h.1...0...0...0_..1...0_..1...0_.z0...0_..1...0Rich...0........PE..d...7.cf.........." ...'.&...6.......!....................................................`..........................................^..p....^..........<.......H....`..hN...........F..p............................C..@............@......tR..@....................text....%.......&.................. ..`.rdata...'...@...(...*..............@..@.data........p.......R..............@....pdata..H............V..............@..@.rsrc...<............Z..............@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@microsoft\fasttext-languagedetector\build\Release\fastText-languagedetector.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):415304
                                                                                            Entropy (8bit):6.458048544217013
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:WYFGHBEvz778o9JYH5K6VClZhYO+OLussBQrmEPIErfxFozrnygj+MdzKok:WnHZoHo5K6IlZhYnoussBLEw+pFoeEM
                                                                                            MD5:ABD0269069D1775729727A927918D282
                                                                                            SHA1:9C86AC6A1B90F3356439205D129B9A9A7CE9595A
                                                                                            SHA-256:4AD7E6798B010880B517C717E594F9A89DB3AAFAF6BFB61182D2791049DFA6C3
                                                                                            SHA-512:DB91789A658550174252E42D5722EDA36492383DFA51A171167332F13602C54A1D5F10D8D6F345346B867E737825FE4F1A28528C913FAF4FAD386AEE57341D1A
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........aq..............x.......x..N....x..............?.......?.......?........x..........,..................................Rich....................PE..d.....cf.........." ...'.............c.......................................p...........`.............................................p......(....P..<.......x9......HN...`......`#..p....................%..(.......@............ ......d...@....................text............................... ..`.rdata..D.... ......................@..@.data...D8..........................@....pdata..x9.......:..................@..@_RDATA.......@......................@..@.rsrc...<....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@microsoft\fasttext-languagedetector\models\lid.176.ftz

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):938013
                                                                                            Entropy (8bit):7.055812500667456
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:df3/DoSn9GZG7fXMcH+/hPiHswHZ3ZpiRhiU6q13Idv/rk5RngwNtYjutXON67e4:TnrMcH0ZHUJUeU6q5Gzkbgw40aa
                                                                                            MD5:340156704BB8C8E50C4ABF35A7EC2569
                                                                                            SHA1:86D1B630BA55A5040231EDA9FE24A7BEFDC411F2
                                                                                            SHA-256:8F3472CFE8738A7B6099E8E999C3CBFAE0DCD15696AAC7D7738A8039DB603E83
                                                                                            SHA-512:67E03B16AE3C49E310FECE12A59CD42C6BDD3A1DFBBFBF60D51650565D62CDF4CAC4B317814F9C538DAE36D0B716D51D4FAEAC9C6CB2FC9A6DD3601048ACF802
                                                                                            Malicious:false
                                                                                            Preview:..O/................................................d...-C...6.?....C.......~..!............</s>..&.......de...]......in..B......and...0......la...)......sa.EK!......en..........is..v.........<........der..........was..g.......und.>...........G.......die..........for......................as..........que.gR.......di..........un.._.......el..........by.c........des..s.......with..C.......le.2........nga.x;.......del.j........y..b.......et.~S.......den..,.......at..........se.....................:.k........(UTC).O........von...........#[.......from.i........da..........il.C........Ang.t........du..S.......his.R........van..........les..........na.........are..........una..........he..v...........Y.......er.~K.......al..?.......es.H9........r..........das..........im..........per.6........this.S........con..........mit..........ist....................je..m.......por..].......est..>.......als.P........ang..........zu..........los.7........have..........has...................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@msteams\package-utils\build\Release\package-utils.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):169056
                                                                                            Entropy (8bit):6.733411839983078
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:FyLogqTXqifvBMDc/f0b9mNoJbZzMZfo4knTz:Fyozr6DTbYOJMo4G
                                                                                            MD5:5E48383E5D98BF5B0F1D37AF5DBBE6ED
                                                                                            SHA1:1C6E9C7B9C0B2E21EA15112FE4164F1CCCFDC706
                                                                                            SHA-256:927E7CD335B88AF70D77752BDA2D83D09728EB7A81E74335099928231279AE65
                                                                                            SHA-512:27DD48CE1DFFAADD6BCAA1472788ECE5842B416B5AFD01032EAAED9545DA223BAB4D49D1B3F82314EC31DA95B970EE2877BE97BCF278534A33D6319570F6A232
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............e...e...e.......e.D.d...e.D.a...e.D.f...e.D.`...e...d...e...d.*.e.u.l...e.u.e...e.u.....e.u.g...e.Rich..e.........PE..d....cf.........." ...'.x...........[....................................................`A........................................@"..`...."..........<....P.......F..`N..............p...............................@...................8...@....................text....w.......x.................. ..`.rdata...............|..............@..@.data...h....@......................@....pdata.......P.......&..............@..@.didat.. ....p.......>..............@....rsrc...<............@..............@..@.reloc...............D..............@..B................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\@skype\call-manager\build\Release\call_manager.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1023072
                                                                                            Entropy (8bit):6.430832393639453
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:k2GBp0OpgiQtqDgrYFPAq4Tny398DN4daw1py1sX2hSim94omP:s0OpgiqqDgrYF4q4T5DNHwYkbim9+
                                                                                            MD5:21CC8BAB204F1F1399D2D55AEF37E33D
                                                                                            SHA1:86CA6C2BD1DA44F51AF93200E33E8A9EAE0CAB51
                                                                                            SHA-256:586347E804F0B546B79E77D42AA44C9FD755E1199EE092A45BC8FCF102531080
                                                                                            SHA-512:8B20BB557F7DAE6134DA338008F4042B88E9CB65B0A074AE2879DAE03C13A2A8F5017EF7408921BC86354F173AE10164DB6FC562844318497280A2A16D40867A
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../SM.N=..N=..N=..6>..N=..68.|N=..69..N=..N=..N=..6...N=.!.9..N=.!.>..N=.!.8..N=..6<..N=..N<.*N=...4..N=...=..N=......N=...?..N=.Rich.N=.........PE..d.....cf.........." ...'............X................................................a....`..........................................m..\...\m..@.......<...........N..`N..............p.......................(....U..@...................<d..@....................text...8........................... ..`.rdata..............................@..@.data....`.......B...f..............@....pdata.............................@..@_RDATA...............2..............@..@.rsrc...<............4..............@..@.reloc...............8..............@..B........................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\adal34-win\build\Release\adal-win.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):116296
                                                                                            Entropy (8bit):6.4420589226609595
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:MkcjeKhqCUx8zcCfGkvJOQH5ukwPStR38+oH23FFJou3zJZLzp:mjBhlU6wkvJ9fpZNoH4FFJz1
                                                                                            MD5:915D3B689457F0A5E8B429408CE4B407
                                                                                            SHA1:67250EC0CB0933E0E2A5B858C0A75083BA3BFB48
                                                                                            SHA-256:A4921129631CAE9BFF46E1C99335E0541A58AC332610DCC990E78AE61E475A0D
                                                                                            SHA-512:BF1F8981EF75ABD8AE59CA727EF43136FF82CD12E24CAC943389FFACAFD02C4FD46486F840AD44F9A5F887E065ED18AF85BE5C089C43FF5ED068DFD7AC7FDA67
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........BD..#*..#*..#*..[...#*.<.+..#*.<....#*.<.)..#*.8L+..#*.<./..#*..[+..#*..#+..#*...#..#*...*..#*.....#*...(..#*.Rich.#*.........................PE..d...>.cf.........." ...'.................................................................`.........................................pT..P....T..........<............x..HN..........P...p.......................(.......@....................?..@....................text............................... ..`.rdata...j.......l..................@..@.data...H....p.......X..............@....pdata...............`..............@..@.rsrc...<............p..............@..@.reloc...............t..............@..B................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\adal34-win\build\Release\adal.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1768520
                                                                                            Entropy (8bit):6.312355250937054
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:V6d8U2Jf0wh4qpepKWb2kMHrUYPInpcATr:o6f0y56pl
                                                                                            MD5:A45F31D4B23ED399F9E1A3A332878E55
                                                                                            SHA1:A1F6C67CF20375262951D7F72C8E8814FD8DF4D8
                                                                                            SHA-256:4A2AB20E05866F79AD788FA8D7114008241D3250FBF3EBBB8A113BAA871AB370
                                                                                            SHA-512:4058F13E47B4CF6098666C05F0AC909D951804DBC3220C3A84CAB1939FEB9D401250FE98A79E72593157B49B3D7AE3CA26E25E0244598CA077E0A8BD84CB83D1
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..;...;...;...^t..0...^t......0}..+...0}..1...0}......^t..#...^t..:...^t..&...;...U....}..1....}.......}..:....}G.:...;./.9....}..:...Rich;...........PE..d...'.^.........." ................0Y....................................... ...........`A........................................p...........,...............P.......HN.......(...+..T...................8,..(.......0............................................text............................... ..`.rdata..\D.......F..................@..@.data........@.......*..............@....pdata..P...........................@..@.didat..@...........................@..._RDATA..............................@..@.rsrc...............................@..@.reloc...(.......*..................@..B........................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\keyboard-layout\build\Release\keyboard-layout-manager.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):219304
                                                                                            Entropy (8bit):6.514468278752069
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:TTVYlCRc5IwG3mgVXDSBa6LY+5EBTRVo6ym0XuDOrTswIg:lYlCRc51A1h6aM5EvyVXuiJ3
                                                                                            MD5:7E3B27C0F33B729348050DD90D9A0038
                                                                                            SHA1:71370BAAE8A3FC0B32B06FB4563FE5896913134B
                                                                                            SHA-256:7F8466DDDE35E149620F7F81E00F1911AF45306C7FBBF7A75E9D8E67152408D0
                                                                                            SHA-512:9F0B274239C1FA453A1996DE773DF99D2ABA07ACCE2797BF4D8686F3FBEEEB597917A5838AD496B3A90341671EC463DAAC2AF0ABE662F5CD7A2541C0492C83FA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........)..z..z..z..{..z..{..z..{..z..z..zOW.{..zOW.{..zOW.{..z..{..z..z..z~T.{..z~T.{..z~T`z..z~T.{..zRich..z................PE..d.....cf.........." ...'.............5.......................................@......V.....`.........................................@...l.......<.... ..<.......$........v...0..........p........................... l..@...................t...@....................text...0........................... ..`.rdata..H...........................@..@.data...............................@....pdata..$...........................@..@_RDATA..............................@..@.rsrc...<.... ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\keytar4\build\Release\keytar.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):212616
                                                                                            Entropy (8bit):6.423779726339643
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:tTdlimWV+f0ej9a4COU6fv7kPDLMKIiq6WTEgKx98RziLhIkm:tTfbWV7ej9a4COU6fvYXMBiqbRzid
                                                                                            MD5:889AE86CE3914C05D2F5FB8D9EA7338B
                                                                                            SHA1:76377C3C42CA91C5D76B588EF017C49846AA47CF
                                                                                            SHA-256:2500BAE14844B123F68CE2AB72284B2FFB8734962207A4FE33315C1E0DCF3E0A
                                                                                            SHA-512:426BC6B93A5D75A666D0CD94F5A4E8281DA12305EF80BBA14D80F9EFA348246E520A8E5EB2C0D7E2ADBBF66C29E4DFA45FC599E89DD324E7599A8229F6F149F9
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y..|=.`/=.`/=.`/v.c.8.`/v.e...`/v.d.7.`/=.`/<.`/.Ud.3.`/.Uc.,.`/.Ue...`/v.a.8.`/=.a/..`/.Vi.9.`/.V`.<.`/.V./<.`/.Vb.<.`/Rich=.`/........PE..d.....cf.........." ...'............h........................................0......b6....`......................................... ...P...p...<.......<.......L........v... ..,....`..p....................c..(....[..@.......................@....................text.............................. ..`.rdata..............................@..@.data...L!..........................@....pdata..L...........................@..@_RDATA..............................@..@.rsrc...<...........................@..@.reloc..,.... ......................@..B................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\m365-browser\build\Release\m365-browser.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):538184
                                                                                            Entropy (8bit):6.462414946018231
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:+lx2b6JweE4RFKGHkwgfWAt9V2GS2F80lvfTWJgu:+lx2bjGHTAt9V1SM80dqZ
                                                                                            MD5:E0C11B972CE3181D4A3F6C7721C5A892
                                                                                            SHA1:4F3DE1555E7CE58D17FA73846412BF0FD7499176
                                                                                            SHA-256:9C8BD72D579C7AF20A64A7BE9668175718837E0EB518A342F3626C690D0F5E41
                                                                                            SHA-512:3E16BFCB384499BDE9E7EB76ACEB824FF084B0B15D268132B49C4ED29B063F5F063908564E643CE1DAEA7238F1341C00E532A9859C1536C7EEFB8A6475DE1A20
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......T.Ue..;6..;6..;6[.87..;6[.>7..;6[.?7..;6..;6..;6. ?7..;6. 87..;6. >7_.;6[.=7..;6[.:7..;6..:6..;6.#27..;6.#;7..;6.#.6..;6.#97..;6Rich..;6........................PE..d...I.cf.........." ...'.............J.......................................P......&a....`A............................................\...\...x....0..<.......\=......HN...@...... ...p.......................(.......@............ .......{..@....................text............................... ..`.rdata...o... ...p..................@..@.data....6...........v..............@....pdata..\=.......>..................@..@.didat..(...........................@..._RDATA....... ......................@..@.rsrc...<....0......................@..@.reloc.......@......................@..B................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\media-hid\build\Release\media-hid.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):777288
                                                                                            Entropy (8bit):6.503268306446413
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:7PM22/qUC4iDyjVtUAW2Oe9vxAsCv133WKKYTXH:7EnVXOe9vcvZ3WKF7H
                                                                                            MD5:4CC9504D56A3E9C5558222CDFDDE4C27
                                                                                            SHA1:FDFEDC1007F89EA97E1261DFBBE39376870118B9
                                                                                            SHA-256:149361C1E03D1F3181C083F332C437B2C0278F09220E45764712D1F5233A84F9
                                                                                            SHA-512:0F83ED03EAADC63C4005A885E9BC7ABDE32FB3FB18F9C640411FEFC4201511E9B31D866EB162F594F6B609E108994CB885D4BC11547D408D6C1AC07306D98586
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.............................;.........^......^......^........................o......o......o.H..... ....o......Rich............................PE..d.....cf.........." ...'.............s...............................................K....`A............................................T...$...x.......$....P...b......HN......<.......p.......................(...@...@.......................@....................text...<........................... ..`.rdata..T...........................@..@.data....E.......*..................@....pdata...b...P...d..................@..@.didat...............p..............@..._RDATA...............r..............@..@.rsrc...$............t..............@..@.reloc..<............z..............@..B................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\modern-osutils\build\Release\modern-osutils.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):462944
                                                                                            Entropy (8bit):6.403965290367293
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:X09wIwa7YT+Pp8VPbPrRJs0XJMtAB0HWTEJ4S9tz:X0+HKPp8xbrso0TKSX
                                                                                            MD5:6EDD196156D676924C4033CA061B855A
                                                                                            SHA1:B9CEEABC5187F09E479724E3C1320D00A586DE93
                                                                                            SHA-256:B6F55CD3570BCDC5B8984620AE0BB7A6702C6B7ADC5BE3D62CE34068F2108861
                                                                                            SHA-512:AD96FDC0C05D2B8BDACEC1BEE93AE7E6F7DA1C6C84D0B1BD895C9429AA5DDDD0FE648A28F1377CDB19D8C30E243B251826768E6F96CB624193BAE8BF5AE3D2A0
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........3..]R..]R..]R..T*a.WR.....[R.....UR.....YR.....DR...*..\R...*..TR..]R..YS.....NR.....\R.....\R.....\R..Rich]R..........PE..d...0.cf.........." ...'.6................................................................`A........................................Pa..`....a..........<........:......`N..........0...p.......................(....^..@............P.......Q..@....................text...\5.......6.................. ..`.rdata.......P...0...:..............@..@.data................j..............@....pdata...:.......<...z..............@..@.didat..............................@....rsrc...<...........................@..@.reloc..............................@..B........................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\msft-wam\build\Release\wam.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):211528
                                                                                            Entropy (8bit):6.44508276617275
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:qEDh1EpBSjWbDJ9EqIV1y/7Phvr7zQKCPzVopeAi43PQ0d0G+/znjToAoV94:qeKpYj88y/7P5/QKyRweAi43qP
                                                                                            MD5:F69CE6FA71D9A7DBCA6EC32C7A6A2C6D
                                                                                            SHA1:F2D56FC74F7907C0F830ED67F6B3C1A7474CC215
                                                                                            SHA-256:6F50D9A7740E46D7BF589F475EACB86583CAC226910D6987D83C9D03905E47F4
                                                                                            SHA-512:5154A8256DE3D1C5D471E6D3F96E03EC0A58CBA493511D4E5FBE654C56D88D7A6792CFDAAD50FB33CB2B2FCAD1C8814D311C0FA0B1A12E494F3A2BDB3D4AA1DF
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4q5.p.[.p.[.p.[..._.x.[...X.u.[...Z.x.[.....y.[.yh.|.[...^.o.[.;hZ.u.[.p.Z...[...R.|.[...[.q.[.....q.[.p..q.[...Y.q.[.Richp.[.........PE..d...T.cf.........." ...'. ..........T........................................ ......J.....`............................................L...<...................l.......HN......x....I..p....................J..(....6..@............0......x...@....................text............ .................. ..`.rdata.......0.......$..............@..@.data....(....... ..................@....pdata..l...........................@..@.rsrc...............................@..@.reloc..x...........................@..B........................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\native-utils\build\Release\native-utils.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):239688
                                                                                            Entropy (8bit):6.469155909125638
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:Yt48gNLgbvzY0b9f0hv5Q9IazJZBvwg0MELTvYwswm8hiIc022FwaPD5mbVXz1:YttyOv2BRazJHvwg0M6zkovD5mBB
                                                                                            MD5:CF180450849CC1A04536BEE1FD67D9CE
                                                                                            SHA1:BB1D7FCCBD3F81FAE752721ABD90F0DA67AE3BB7
                                                                                            SHA-256:85B28031A2BECA88DB432769BB364CEF5E8E6D0861F82E3F68C5A754634C57EF
                                                                                            SHA-512:FB90C161BF4799E329A858C4520E84FA11F6350CDB1346E099CEF56F6C8E8CC74F0C3F4998B96A16D0FF965CEBF15A57EE73C7525DF328D49BEF796AF77528CA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........-...CA..CA..CA...A..CAK!B@..CAK!.A..CAK!G@..CAK!@@..CAK!F@..CA..G@..CA..F@..CA..B@..CA..BA..CAz"J@..CAz"C@..CAz".A..CAz"A@..CARich..CA........PE..d...5.cf.........." ...'.T..........................................................1.....`A........................................P...\...............<....`...!...Z..HN......$.......p.......................(.......@............p..P.......@....................text....R.......T.................. ..`.rdata..2....p.......X..............@..@.data........@....... ..............@....pdata...!...`..."...,..............@..@.didat...............N..............@....rsrc...<............P..............@..@.reloc..$............T..............@..B........................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\office-int-win\build\Release\office-int-win.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):670304
                                                                                            Entropy (8bit):6.447230459719399
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:M5CVHpXN1H3qC5Wop70uEOzfgt8LVc01LqV/yWlq9y06F:/hpXNUCPgx01LGBUcF
                                                                                            MD5:A9A915A183ABEEBA33310B6312F74F5D
                                                                                            SHA1:D90A19A5F3FBE77D2E935F9B2FDA7B18BD24B861
                                                                                            SHA-256:DA22D068CA47C439FCF39D0473E58A9477B32BC9BC8273DF6AA134667A3AB246
                                                                                            SHA-512:D134D591B5679E17CE97C8FB2A67CF7D22308E7CECA7F8879C49A8B3688FE672F11012DD75331E5BAF8DFFFF542D51F72F30321C3C47B9A7D266E2DE7810908F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$..........x..+..+..+...*..+...*Z.+..+..+0e.*..+0e.*..+0e.*..+...*..+...*..+...*..+..+..+.f.*..+.f.*..+.fS+..+.f.*..+Rich..+........................PE..d.....cf.........." ...'.h...........W.......................................`...... .....`A.........................................M..\...\M.......0..<........[......`N...@..|...$...p.......................(...PW..@...............h...HC..@....................text....f.......h.................. ..`.rdata..4............l..............@..@.data....A...`...$...L..............@....pdata...[.......\...p..............@..@.didat..............................@..._RDATA....... ......................@..@.rsrc...<....0......................@..@.reloc..|....@......................@..B................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\oneauth\lib\oneauth.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):3956808
                                                                                            Entropy (8bit):6.636371659230467
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:cf6Ez+jmQkut5TT354ZSv+JJdSY62yGVUxlG59WgDDhXsMaaXsY3nzh4ZltON591:S+IH3nzh4Zm4Uhc6HW54
                                                                                            MD5:53E41EBB544200D42EE6B9BA950CFE40
                                                                                            SHA1:2C06EBCD7E9299CA98A3C1144439308DD3E2583D
                                                                                            SHA-256:282C7294E7227AB6BC0841BE0F64734088E3CAEF9BF4FF8DDBD525FC05F0C058
                                                                                            SHA-512:CABC06E6FB7046C6D604C02F4C1829D04C29C6F3E4149DEB22F9B6E60CCD1A4309770B15D0F2923483EAEED193F68561F98ACE6853EA149687060A64DDF185FA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......\NKC./%../%../%.}I&../%.}I ../%.~@.../%.JZ!../%.JZ&../%.}I!.;/%.}I#../%..W.../%.JZ .s/%.}I$../%../$...%..Z,.|.%..Z%../%..Z.../%..Z'../%.Rich./%.........................PE..d......d.........." ......$...................................................<.......=...`A..........................................6.T.....6.,.... <.<.....8.......<.HN...0<..s..|G1.p....................H1.(... .$.8.............$.....h.5......................text.....$.......$................. ..`.rdata.......$.......$.............@..@.data........06..\....6.............@....pdata........8......p8.............@..@.didat..@.....;......P;.............@..._RDATA........;......T;.............@..@.msvcjmc.C....;..D...V;.............@....rsrc...<.... <.......;.............@..@.reloc...s...0<..t....;.............@..B................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\registry-utils\build\Release\registry-utils.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):209000
                                                                                            Entropy (8bit):6.395632822724759
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:Y4cgmVTzfyJPrALAnBdxe1IrwqyXxkJXkNFmsfp/ysXe:HcTErA0Bdxe1IrwqmklCFxh/y1
                                                                                            MD5:0913E3C3B788885E7F19BEBDB247F869
                                                                                            SHA1:BDB04897707109931CCE43733FCDB41606DBC307
                                                                                            SHA-256:A5AAC1F3BC961D4B735BC6C27B5077DBEBDE53BDC9F455A6CF678FC04BBE15A8
                                                                                            SHA-512:F21323BA6F7BFB0D51A962A056593D0DCBF4440432B3E40845D3A872FC81EE162848296992E90F8CB467A10BEB245C4C4722D8C9D57E6EF975D8AB8D42316156
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]k.m...>...>...>.r.>...>..?...>..?...>..?...>..?...>Rr.?...>...>...>.?...>.?...>.f>...>.?...>Rich...>........PE..d.....cf.........." ...'............0........................................@.......?....`A........................................p...`........... ..<...............hN...0..t...0m..p...........................`*..@............ ......`...@....................text............................... ..`.rdata....... ......................@..@.data...............................@....pdata..............................@..@.didat..............................@....rsrc...<.... ......................@..@.reloc..t....0......................@..B................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RTMPLTFM.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):18424904
                                                                                            Entropy (8bit):6.695782211674845
                                                                                            Encrypted:false
                                                                                            SSDEEP:196608:yWo2dhpJedBkRZHYj8DnpO9eGQhu1nCPeeV:yXMhpJeqZbKUuo2eV
                                                                                            MD5:5A11D499926DAD902004066ABA379DBA
                                                                                            SHA1:7A455E39E34C1D7F3CB7057A22FE25B655D3D4F3
                                                                                            SHA-256:DD0034AD38F2C91C79A5FCE6C8B92E17B58279A3655FCBD0ACB216D4D9CBA7CC
                                                                                            SHA-512:118AA9083F9B1CDA7008CDBBC0A43E936C2B99FBEA7B83FC17A9E92B1775C634AF80E968152FBD992D367F3226BB8DFD77BDEC587930FDA076C12F07C4B26C51
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........'.F..F..F..>..F...:..F...:..F...:..F...:..F...>..F...:...F...:..F...:..UE...>..F...:..F..F..nE...:.. E...:..F...:v.F...:..F..Rich.F..........PE..d......e.........." ..."......H......k....................................................`A........................................`...@.......................x.......HN.......d...o..T....................p..(...@n..@............................................text...t........................... ..`RT_CODE............................. ..`.rdata....2.......2.................@..@.data...x........n..................@....pdata..x...........................@..@_RDATA...V.......X..................@..@.rsrc................j..............@..@.reloc...d.......f...p..............@..B................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmCodecs.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):7725560
                                                                                            Entropy (8bit):6.724437099114289
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:77xd5NS4aGlDruAZs61s1s1n1zSUZaY+uqGJyshAczLQJp3FIDBXPBWbBGy+LxLu:79fDrvNjqsacICWMqOTWP9X
                                                                                            MD5:D41CA1F4204278C99AC820DD3A191EE4
                                                                                            SHA1:8AAB9D89BCF6D55FB0DB08AA94D2E47B9965ABE2
                                                                                            SHA-256:1EACF3F2EF79A27EBA9775BA8AC7D3C14D08A5968CE30631CC102731C9C4E4D5
                                                                                            SHA-512:CF662EE236E388859F4C28520C1CA7B7B8BDDD1ADC93EFDC3A82992D405D2E2B9425589E189DE6FEEF3DC2C396EC4F77B3591257149ADC5E91695BFD9C773376
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...................................@...........!..L.!This program cannot be run in DOS mode....$........J..+...+...+...S;..+..WU..+..W...+..W...+..W...+..S...+..S...+..W...+...W...+...W...+...+...+...W...+...+..(...W...+...W..*...W...+...WW..+...W...+..Rich.+..........................PE..d......e.........." ..."..P...$...............................................}......pv...`A........................................`.o.....h!o.......}......@z.,.....u..M... }.T...@.f.8....................)g.(... .[.@.............P.....(.o......................text.....P.......P................. ..`.rodata.......P.......P............. ..`.rdata........P.......P.............@..@.data...Px....o.......o.............@....pdata..,....@z......Hr.............@..@.didat..X.....}.......u.............@....rsrc.........}.......u.............@..@.reloc..T.... }.......u.............@..B................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmControl.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):156232
                                                                                            Entropy (8bit):6.317364255294539
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:v2Gi6T8tXl0hQrvVwGtmF4xS6g6KohB5msdWnwl:v7i6T8hl0W67C4+hB53r
                                                                                            MD5:1435E71DB7E2DDB9CB337B9387D3C30D
                                                                                            SHA1:2540EE1682EF6EDE924F80CDDBCFF779BACD3C83
                                                                                            SHA-256:589652A9730FF79FE3566DA251FFC30351C5EEF2D4719D4DD43FEBBBC67F9FC0
                                                                                            SHA-512:C15D427517776A7A0FD24C28DC428FF5D6B54708610F1A643E764BDC070D997EAA9ADDBFB98E4A9F3FA80B6D2483BF72F0517C72AADA65ABE7C078F753301451
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Srp..............k......Xo......Xo......Xo......\k......Xo......\k.......o...............o.......o.......o..............o......Rich....................PE..d...B..e.........." ...".............*.......................................P.......@....`A...................................................T....0...........+......HN...@..P...p...T.......................(...0...@............@...............................text....,.......................... ..`.rdata..\....@.......2..............@..@.data...............................@....pdata...+.......,..................@..@.rsrc........0......................@..@.reloc..P....@......................@..B........................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmMediaManager.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1674824
                                                                                            Entropy (8bit):6.5037792513144534
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:Q9VoFeRVw0cpjF2+wBkwknB1kqCiK/3OqKdF1XkZaSsAdR2eVHWMYdb03G8hCG:QnOeRQckj1jBK/lcBkddsQWjb
                                                                                            MD5:58EFEB744C616AB7124E20C096B3EE2B
                                                                                            SHA1:1FD93EA6B3B5A510582C790A5806F8A1CA6555BD
                                                                                            SHA-256:AD0A3BA1E1FCA395006C449484A61C4555AA8B10FCE97F64391CCC0D5884EB6B
                                                                                            SHA-512:9BD38F65A811E964B5A3BDDEB126D9E43C4EE55500D6358E170FECD31D7F3FE929141E5A152386F23AC7125C1582CEFE9FBE70BC3EE64BF56E1104159E0EDB72
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............h...h...h.......h.......h.......h.......h.......h..n....h..n....h.......h..n....h...h...i..n....h..n....h..n.d..h..n....h..Rich.h..........................PE..d......e.........." ...".....2.......r...............................................?....`A............................................4......T....P...............@..HN...`..l"...Y..T....................Z..(...pX..@............ ...............................text...~........................... ..`.rdata..v.... ......................@..@.data..............................@....pdata...............P..............@..@.rsrc........P......................@..@.reloc..l"...`...$..................@..B................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\RtmPal.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1095752
                                                                                            Entropy (8bit):6.402891372884053
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:Rg9sEotLPQXtYkhGFCzqzaP/VpuFSQjS27Yiq+5cB3w0LRwcY2s3Pjv2gGZK+1fm:RgaratYkwrza3eF/7jcB3wuRLYLuN1u
                                                                                            MD5:5867F3AB0BF6F44B2B911E2F0AE1A67D
                                                                                            SHA1:34CB14FD1FFB9F3B2052FFB900ADA0D8F643DA18
                                                                                            SHA-256:67CA747D2A57D8157CF4F3BCE95BEC502294C4B3CA47593C96C22B34B566C4E4
                                                                                            SHA-512:F174E43E4FCC8C5FD60ACC1AC9C2A2C00CDB8296EAC2B5BD05223FC263B00B982712DE496286D4DFB2E26FD329DBCFFF253F01B43886D5ABEEDE48C4BF5758A2
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......z.o.>...>...>...7...0...q...6...q...8...q...8...u...8...u...<...u...%.......a...q...........<...>..........?.......?.......?.......?.......?...Rich>...........PE..d......e.........." ...".....P.......................................................y....`A.........................................'..4...DU...............@..|G...j..HN..........p...T.......................(....y..@............0..(....".......................text............................... ..`.rdata.. o...0...p..................@..@.data............t..................@....pdata..|G...@...H..................@..@.didat...............F..............@...RtcPal_HA............H..............@....rsrc................J..............@..@.reloc...............P..............@..B................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\SlimCV.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):2420808
                                                                                            Entropy (8bit):6.69324004678105
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:uI+IZ6ViU6kPU6dkDkkhlJ2DsFdHGfVsYiqX7oCVvFZ:0MHJZAvP
                                                                                            MD5:1B6EE0B5BD4BDB86601CA10442D17600
                                                                                            SHA1:4F968BDEA8DC8040002A2CD28C761826EA9F70C0
                                                                                            SHA-256:95132EA656F387393EFF325C0688A471C40E7DB35511BC9B142FBB62510AA42B
                                                                                            SHA-512:98D34D549F55AA198258A0BCCBF259C5C9837359F67C359FF2C27A6981150A226330345BA27C23521E7CD5E7D9778D143E21A1105765EB94E585D89F282C13A2
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........a.2.2.2...2...2...3.2..3.2..3...2..3.2'.3.2..3..2...3.2.2...2...3.2'.3...2'.3.2'.~2.2'.3.2Rich.2................PE..d...D^.e.........." ...".....................................................P%.......%...`A........................................ @"..~...".,....0%.......#.L.....$.HN...@%.8...,T .T....................T .(...`R .@...............p....7"......................text............................... ..`.rdata..N9.......:..................@..@.data.........".......".............@....pdata..L.....#......t#.............@..@.didat........$......\$.............@..._RDATA...3....$..4...^$.............@..@.rsrc........0%.......$.............@..@.reloc..8....@%.......$.............@..B........................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\cm.slim

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:modified
                                                                                            Size (bytes):44012
                                                                                            Entropy (8bit):7.397917550582591
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:pxIG1ui6Hb+MJpYGVMcfDjASGzjt4EnshZAmNKRJZH:pmTHb+MJaGicfX3GnqLhZAL7
                                                                                            MD5:84647C35B58FF5EFD78829444A3902C2
                                                                                            SHA1:9D0621898A95A518D31164B57590FB392E2E98BA
                                                                                            SHA-256:A42ECA02A421086C26C8FECF940BE8D29DF4DCAF16B4E642C764A9D485069743
                                                                                            SHA-512:A38E6F6B472ADC8CF76CBDE72D9618FE7D02C7F942AE226C4778B8D5D2FCF30297198CBE406840A13DF3C9E7C0B1031454C6F2D25FA2BDC3B23920E0835EDB52
                                                                                            Malicious:false
                                                                                            Preview:SLIM_MODEL_1_5_06...................................................................................0............D&...P...E.GS...\..F~...F."8....v....D|B.B.z.#..<d.....6,9.I.5..A.."=......D&.D..sD.........A.B.;.B).PB.B .CBB/..B.AgBIA8............................................................................D............................................................................x2.29-v2.0.&.,.'$..>.:V4......%:.......W...\....%.?7|..8....6)9.8.:.",...''\.k.......8T4...5.1S .Y).R(.<..9.i;.....6...-;,8..,y..!>.O...o.J.(7.>....@?..8.7.4_..4.1Z#..D*...l.P .....xT|......n....6..7.<.5..........%.~.-._.5..4b.:9A<....3b1.1.-M1X->).,..(c....%.>..F).$.(........_/..i6.=.....;i.n.P..s<..:a8............................................................................D........................@....................................................-k.?..9&2.6.6.$.398U...'.P.o-]...`...)...919.]5F85.8.=%&%..s..........2....:.U.....T..0./.8/...../ .X8.-.&..!8b'[.y#.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\onnxruntime.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):8396360
                                                                                            Entropy (8bit):6.525745326034534
                                                                                            Encrypted:false
                                                                                            SSDEEP:98304:mAkPI8o58bQMzVdxmvcbXKbRvBndGkFYbrjb4:3kPjXdxmEbXKbRvBndB
                                                                                            MD5:A826D0980E3AC85E176B54D1F3EEB583
                                                                                            SHA1:1FEA41EA0DA663F790497D8884AF28431B6F051D
                                                                                            SHA-256:E3D965CD0D579E7AD4C9D85E9A4C5699830E18EF00F4C4E422590F4117EABE97
                                                                                            SHA-512:243C444D576321C2A4925927C33551B92A6B1DCCF85E3DC35D34A45B6DD6A0663C3815878B00712A40D2973647F8261C7C6BBB33CBF35688C7DD36037653CA5D
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......pOBN4.,.4.,.4.,.f[(.<.,.f[/.8.,.f[)...,.f[-.2.,.RA..6.,.=V....,.4.-../,..[/...,..[%../,..[,.5.,..[..5.,.4...5.,..[..5.,.Rich4.,.........................PE..d....,Sc.........." ......i.."........d......................................0............`A.........................................z.....x.z..............0|..l......HN.......l....r.p.....................r.(.....r.8.............i.8............................text...;.i.......i................. ..`.rdata... ....i.."....i.............@..@.data...H?....z.......z.............@....pdata...l...0|..n....{.............@..@_RDATA...............R..............@..@.rsrc................\..............@..@.reloc...l.......n...b..............@..B................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\psm.slim

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):371494
                                                                                            Entropy (8bit):7.465111165899667
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:lq3vuCqK6Xny+jFV5m5X/j25j9emIcdVkJr3iixidtWwwV1gUkxCWNVX6LXyb7Vs:03H6Xy+P+XL2ICvktvxidtWwwVqxxChV
                                                                                            MD5:35D7B238ECEDECF367A343FDACE53AB0
                                                                                            SHA1:66D9CC55286A1082AFA2BC0CB45D57B038FD85D2
                                                                                            SHA-256:0C5BED64654D7B19236E9953EE4C85122F6D3B090C8FD28818636E885806007D
                                                                                            SHA-512:CAC1D0AAB7B18CCC12FC7AEC8C7D3A1DF727735E88F1B8FECA08D4E69B94D5D1194AE11F8EBF61298B6FE02AA3A838DBD13EC7997705B7B910D677A9B2FC7912
                                                                                            Malicious:false
                                                                                            Preview:SLIM_MODEL_1_5_0B.......`............................... ....................................................!...k.... $v..#..0.... .h.).A...1......"...........!.1...........f......4.8.5.....2.....5.6G3......s...6..6.6%1..D.@......"Q$6.C..!.'..Z.=.....9.~.8......*.(c)>*V(.'2).&.*.".&n!.$K..........5F1#*.4.,t u5p-.+.4F4\3N$..g....?..4.2.1.&.,&.....3.0V2N(..x.../.?......$.S!.$%..#t ..J.^...D.&).1e5.,d...;...K%.0.4{6.0.......u-.4t6.1...P....$.$!.j .4}4..3..l.c(t..+.%..K.=..........s...X8P.(4.8./.3.8..K...g..,.., ..O-V.o.%.S........ ..|.b.*..Y.....M"y.....&.:..j.w.m.7.3............K......... ...C.............#.........=.|...........|..(W.2!.5Y5_..'.&.(....I.o&b'...)>.. ....i..)6(.%Z,M.T...!....."............8.8.5.1./.*0.f...W.*.L...........X...6...+....P T.D.[.....~...&..1.1;..8Z8+..(.(..................-.1t-n1'3W.k...](.e.......-.....$....t.......P.g.K.....N..$.......%.*.'. ~-:-......$E(.$4#.-.,....9...i............K..+....J.......*. ....1..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\qm.slim

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):370220
                                                                                            Entropy (8bit):7.496118478384408
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:QD64Ijr5gYLV+WwZ5YFQe35+Q5sCkC0hSfw2zeKugZHxOCyemUAQVnJT+PJ9:E6466YLvfQeJcehzeTOHrffAQVJT
                                                                                            MD5:95FF8628CD563FB2AC23E4778FF1188B
                                                                                            SHA1:C54C2DE94DF05BC24E7EE2F4A1679D5004450A01
                                                                                            SHA-256:083A72A09101C895C73418EF829B5AB6B97B412322BC9C165342717F376D1D2A
                                                                                            SHA-512:CDEC378F1A67C7DEB99C41EF05D2C439B690964341EAB825055741C0888551D6FB7DC91817700E2A1F7764C618ED6A21DFBA15FC4C8AFED848CB7B9933314861
                                                                                            Malicious:false
                                                                                            Preview:SLIM_MODEL_2_0_0B...............................................................................................m...C,R.I..&e ././i....,I.3..%"../.2q....)#...o..(+0.0.Q.X........'N.......-,..+..)Q.o.....}...U...'..(.%..X.d...p....*...'...0.,.3'-.4}6.3.5d5....b....-.0C..(.,.,#-c$k+`-.&...#c.I..#..`....!'...?.....v....T.Q#?....).W.v....).'.-.1p"X1.(..F(1-8.<0.1s...B.f...."(..-....5.o...Z.....f!t-./.)./&0.%K*.&.....w.....m..F.. .-./2....0.(.....)3..-....-&...T... (.09..*60=.L.=.?.1).*.%.(l+.&.!.'."...!.......0.S).*.!|).+L'!#.$...,.,.(..v..#.-N(..h.]......+S)...(..............:.m.R..0.-P-.0@..%M.{...O/.*.,.....(......-.*.).,...~.O..#..y..$<&O...-!. q#.$...$.(."...-!&'.#^..$.'. ...!}!..a0.3/.[..,.......0.2..7-.......0R2...8,:...{...>.3...^.[..........!..s....z..".*m-.(..X..$.)d&...1.1p.D.T0.0J2.2.4d......r...j.K..58?9.5.-.4.2.(./O3.......y...7(9.._....!b!..".\.5'...2.-|#./.)..b(..0a.T.61g..%.I/...%...@,M.#).d,..h...P..0....G.Q.4.........)...&.&@.2...

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\sharing-indicator.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):131680
                                                                                            Entropy (8bit):6.348796146121421
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:fE90Z0CTyulp54LSSSSSSSSSSSSSiila1KsZg8YrafIrmn4jyFIkR:8OTyulj0i81KsZgdWAi4Mn
                                                                                            MD5:29D6DD27DE95FDE8FDAEB46A7487E5F9
                                                                                            SHA1:377F184527A774BA9B527113749C46BDB23FCA97
                                                                                            SHA-256:7D52F47E14A468BB2F61E50E5A1A3F2E12AEDDA457BC29BFB7E13A2891F19328
                                                                                            SHA-512:16BB78ACEEA0DAE5D0F82B2D01F6AC4C0D255B1C4E0E78F6FDE166FA7B3AE3E30DE88FB71FF1178520C2C117D5783E80EC6C69D14E61F913ECB7F0AB7882D6F3
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......g...#..^#..^#..^*.|^%..^.._"..^l.._+..^l.._'..^l.._...^.._3..^l.._%..^.._&..^#..^...^.._,..^.._"..^..^"..^#.x^"..^.._"..^Rich#..^........................PE..d....K.e.........." ..."............ ................................................D....`A........................................ps......Ty..@.......................`N..........P'..p....................(..(.......@....................b..@....................text...N........................... ..`.rdata..p...........................@..@.data...x...........................@....pdata..............................@..@.didat..............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\skypert.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):5052488
                                                                                            Entropy (8bit):6.661676381475456
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:+IU6iLLmqCa0CJpyLnIRFVRKw1ANjHd8bzvvIcA670GDD2Y2OSm1oTfN/2erTnQE:J+gg7/ZOOjWfNZo9w8Jz1R5ZEyy
                                                                                            MD5:EC16915BED8B29155387485301D7A6D5
                                                                                            SHA1:C4DC1DFE576B33C8442B1B59F547391646D86377
                                                                                            SHA-256:D641ED726C03D7C11CE46AC62A8F404B5FF4AC7C6CA8073CC7BF70823FCEC525
                                                                                            SHA-512:6FC1F96154A1812BC07C3FBB3039B3FE990D4D3C361706D1B2DB481F09E7C21907A4F8CC9012D0A837D6A02888A4150EEA9B01F470173E8389D20EDAB66A7D76
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W*$9.KJj.KJj.KJj.3.j.KJj\7Nk.KJj\7Ik.KJj\7Ok:KJj\7Kk.KJj.KJj.KJjX3Nk.KJjX3Kk.KJj.KKj2IJj.7Ik.KJj.7NkNIJj.7Ok.JJj.7Jk.KJj.7.j.KJj.7Hk.KJjRich.KJj........PE..d...#].e.........." ..."..6...........5......................................@M.......N...`A..........................................F.......H.X.....L......@J.p<....L.HN....L.....p.C.T.....................C.(...0.C.@.............6.p............................text...l.6.......6................. ..`.rdata..&N....6..P....6.............@..@.data........0I......$I.............@....pdata..p<...@J..>....I.............@..@.rsrc.........L......"L.............@..@.reloc........L......&L.............@..B........................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\slimcore.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):12495432
                                                                                            Entropy (8bit):6.49930524660506
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:e4tP1/fpZyxGQjVmrql25Ihn/wVCZ99ZLrkuf7bcQz0fmVherEcxNZR8hYZErKtS:dt/cbrkufXVQJF8bCdZ+smM9rZ6PwDil
                                                                                            MD5:11B4F50B216114B10E3F9923D4978411
                                                                                            SHA1:23775034AEA319825276E8017084AD8C0331B34D
                                                                                            SHA-256:2CE856F4C3121E19A18F563161B9AB22CA96C422EB67B0F75E79260F3429974D
                                                                                            SHA-512:B4EF74A87CF2D8EE237FDF28EE392007C31AC67207BE4C9F911EF6CAE1661CBA9B868EDE8F0019B0B2775D0C42040341F7ECE7426E4F9EBF5C714B42503CCABF
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$......................{.....................................................................................................................................Rich...........................PE..d...;L.e.........." ...".T..........................................................y6....`A........................................p`......Df..0....P..........H....\..HN...`...L..@..p......................(...0...@............p.......A.......................text....R.......T.................. ..`.rdata..F."..p...."..X..............@..@.data...`N...@...F..................@....pdata..H............`..............@..@.didat..(....@......................@....rsrc........P......................@..@.reloc...L...`...N..................@..B........................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\ssScreenVVS2.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):399432
                                                                                            Entropy (8bit):6.003975154048508
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:KoESpgWXA/T52CaRr9ptv9YutpVzfBxqF7pRKX0u:TpgWXWT52bR9ptveSXx0RKE
                                                                                            MD5:32D2957247B5236C198F030BA7C1A500
                                                                                            SHA1:F6341CF35F458269F83AEEB3A7E2D9C25C7798B9
                                                                                            SHA-256:AEC2BCE8521F4F1FC10BE44C00CAD79ADD515715D5C3240C62F04A0B49234EE8
                                                                                            SHA-512:957C82CF12EB2C3A70210260FA5D79A6E4F2BC09E18CBF987AA47B1E91EDC7BD506E4A0C24EBADD08EB3D051D1F80FBE48C0BFBE4A06D095F13F997A240A7E68
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........G..&...&...&...^...&...^ ..&...Z...&...Z...&...Z...&...Z...&...^...&...^...&..[Z...&..[Z...&...&..l&..[Z...&..[Z...&..[ZL..&..[Z...&..Rich.&..........................PE..d...G..e.........." ..."..................................................... ............`A.........................................A..X....B...................?......HN..........@...T.......................(...@...@............0.......?..`....................text............................... ..`.rdata...2...0...4..................@..@.data....8...p...(...P..............@....pdata...?.......@...x..............@..@.didat..X...........................@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\app.asar.unpacked\node_modules\slimcore\bin\vdibridge.node

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):397384
                                                                                            Entropy (8bit):6.533857841786125
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:N1SC3x480+QJHXTRx7Uke1XA80eHrm+ATGQtRFTTAOIQWvUSEClxkX8VtY:N1X4L+QJH9hUkCgVTddTAOIQWMvixDY
                                                                                            MD5:9667A9223D9E30711CB1B9C28147A15C
                                                                                            SHA1:248106C66E15F5F48A9E20ABDBC11A841BBC7208
                                                                                            SHA-256:03EADF5A5F63B946C56AD174358A04EB70C7632D470D6E670C555AC92A0B64C7
                                                                                            SHA-512:82EBC4093CEE3925D3457A7EC36F66E86B3E79191951F844F7A64A42ABA75F16C5AB6CBACCC6FAB6617AAD5F3C10278BCCE6A89FA07DBCD04106507E140F9E41
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......._..=...n...n...n..en...nP..o...nT..o...nT..o...nT..o...n..o...nP..o...nP..o...n...n...nT..o...n..o...n..o...n..n...n..o...nRich...n................PE..d....RAe.........." ...".F...x.......+..............................................m.....`A.........................................B.......H..................P1......HN......H...@...T.......................(.......@............`..p....4..`....................text...jD.......F.................. ..`.rdata..h....`... ...J..............@..@.data................j..............@....pdata..P1.......2..................@..@.didat..............................@....rsrc...............................@..@.reloc..H...........................@..B................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\12x12-available.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):439
                                                                                            Entropy (8bit):7.012052266568622
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7DR8/kAPZewT1Lm7OtbBxordTcMV7v:+RSol7ktSrdTHV7v
                                                                                            MD5:2FCC0EB70D8998EEDDCA241B049FD140
                                                                                            SHA1:F6699C636B0BF54A773F9DCA111577EDC49436CE
                                                                                            SHA-256:C22536DC7EEB83EB0A1E509A9F0B2092982302A02982AA0DA23CE54E04B28903
                                                                                            SHA-512:3C4EA183D28E13089CE913A3FC93E29D22655F51898639BEC535774616E4BF1B249E5D16E1C2D60B5545964A83095F4ED94BF734BAA7E5343C18C20AAD9077A8
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............Vu\.....sRGB.........gAMA......a.....pHYs..........d_.....tEXtSoftware.paint.net 4.0.21. i....'IDAT(Sc...g.X.w2...]...w1......w0.5.b..]...W\....(......k...^_....5..b0n..p.~?..H.,l.@.c....=lp>PS3C.z$7#.....\......X...7......_}).l...k.......py.F.......?.....P...N........tPN..........v7T1..b`h.d..3.`.n...{y1L.a..R.P..9..%Q.N....=X........H..36.@.R\.4...Fpl.b..).p.......f.3.&..30....,N..0.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\12x12-away.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):427
                                                                                            Entropy (8bit):7.069527276942106
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7DR8/kAW2GsnURNgdDkiCf2PwA2Tyc/Bc:+RSuipLf4AeyGc
                                                                                            MD5:E48D99F780CD086B94C393C375718A12
                                                                                            SHA1:2770F1340AEC6C222EC9E73A975006B70AFB502F
                                                                                            SHA-256:7814D23CF58D38087A09744D1ABBD75A418FE5CEDDA74561A65BB7F35FD451EA
                                                                                            SHA-512:9287022DA336BC7512377AA682D3AD85F9EEBCB7C63E2B0D12A5FD2DD83E581F5A720B3021520A635BEB95F8629A7EE65027D7D554F125E2E7155673E742C748
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............Vu\.....sRGB.........gAMA......a.....pHYs..........d_.....tEXtSoftware.paint.net 4.0.21. i.....IDAT(S}Q.JCA.<*....hcl..!...~@..._Haea+..[;.?.*`a...U.0.J.I..6..;.ss...da.33.3$./.Mt.I..[.....I.c..\{......&._2.5..C..?...S....^.n...>\4u...Q...6.....K....R.4~R>s:\a..wG.8\e.,..+@2..~......w.q0l..~..M?..w.|.sIC....."..?......MU%)E...Bp.g"]w.;[$.J)r...)D..m..fms.R....P2K..y&&..E@...l"....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\12x12-busy.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):352
                                                                                            Entropy (8bit):6.798568230262349
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:6v/lhPIcR8R/UDTljg7+BXakzVAVgsDc2KEZwe1hTytm4UTHHERFsWxm+G8glljp:6v/7DR8/kA+BKkzigP2Kdqc0YFvxdgl7
                                                                                            MD5:24AEEFE6F08022CDC17772BB8A2D9E3C
                                                                                            SHA1:F9CCBEAFE11B66D0967626C926664E6F01EF5627
                                                                                            SHA-256:C77DC96FA225213B7CD0C647AAAF657F343C8371D6809BEF7A2A07BC17AF977F
                                                                                            SHA-512:F7E62DB0AAC633CC258FEB1150C6534296DA822B6A1C9B07BBA0D9A390320F99D9E361D11404EC246EB6435CF2B2F029B01879E65A5F7AF31BD75598652ABFA0
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............Vu\.....sRGB.........gAMA......a.....pHYs..........d_.....tEXtSoftware.paint.net 4.0.21. i.....IDAT(Sc..3..G.......:...(....>...0.N.q.C.U...p...*...).......{=.....d|.a.W..~~}...3.).....53.............>L..P.a.......d..36Il...n).(R..U...]...B.O...1.b.(...gt.0.R|.G[.?..#8.A1...P8.M{.W.t3.. .!....\..@n.......IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\12x12-dnd.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):379
                                                                                            Entropy (8bit):6.9421420243208125
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:6v/lhPIcR8R/UDTljg7WhArakzVAVgsDc2KEZwe166Kd+hNz5cxVdZXPs+UlXwQB:6v/7DR8/kAWhA2kzigP2Kdqsd+J63Z/m
                                                                                            MD5:088D824C221FF7626AE857B2E2811AF3
                                                                                            SHA1:211BDD35D03F852A601FB4C8F0B591EA39CE4C92
                                                                                            SHA-256:6E138C70BAB115DB6A18B406AC562D5C960FFBE24805D3E355F98A88C0D11950
                                                                                            SHA-512:008ECCAF5AA48FADB353E067F3B56729BB1CB439264CB6806169F2AC7C0CD6088071BCDD4381C7DB39F0D95FEBC9EC1CD4C84154374F4FB6022DD28E8DDC3CB3
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............Vu\.....sRGB.........gAMA......a.....pHYs..........d_.....tEXtSoftware.paint.net 4.0.21. i.....IDAT(Sc..3..G.......:...(....>...0.N.q.C.U...p...*...).......{=.....d|.a.W..~~}...3.).....53...........Y.~e.._......(.P4.J.....i.|50.U.(....#|.7.@.M..>.[....h8cU..@W......Bf|.........]!.............mP.."...@.......r..d.b....k.d........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\12x12-reset.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 12 x 12, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):325
                                                                                            Entropy (8bit):6.835643852475039
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:6v/lhPIcWCCtdoRg7sL0Kdxu+Nbfu2/dx5qb6XC9/XvjlNk6Bysp:6v/7DWjtSU20+uAbfFdx51eXb/x
                                                                                            MD5:8C713061F59928DB085FA718A5222B71
                                                                                            SHA1:09FB3D0BCF8D8FD7B76BA62FBE384EBCE82E44B6
                                                                                            SHA-256:7A91FDE9E5F92F82CA46D6FBC05E35C018730614CE9EE99E32F9CD1FDFB87777
                                                                                            SHA-512:50190AFDBF80A6587F2CFC50678265AAAE4F9D996DB2B799876DB327BCDDD70FFCC97D4F8A1EA76DE8935BDD236CA9871ADCFA5CB30FEF9CDBF40CAC03A697A4
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............Vu\.....gAMA......a.....pHYs...........k.....tEXtSoftware.paint.net 4.0.21. i.....IDAT(S}.=..Q....O!:.X....uT6`.DM...@b#.....;qe..K.L.{b....Z....@..m..@........*X........:H.`....,lb.....Q._7..K.qD._.!5l`{w.-6.a.._....{..>B{..e....5...R.sl......A..c....".w.......H.'.......]....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\20x20-available.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):384
                                                                                            Entropy (8bit):7.13164171395331
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:6v/lhPUMEUW1vH4jFkyjxK7mCsIo5iyYH5LLkt+IAyM9qslPi2Uq6i00Sf/Vp:6v/70tuSmCs7iyQVWYyMAGK2UYSX7
                                                                                            MD5:CC274EA9D3923B46A32B6F88CBE45337
                                                                                            SHA1:63A38DA1B1B0B11E377C3B6567B700323E5468FD
                                                                                            SHA-256:1323DCA6677345516709B850847B82CEF9773EF620767E7870B6935455E8B65A
                                                                                            SHA-512:1A125155C972104B588010197B136C661C2187BD46FB66B338D541B4177F9F3529890A49E8A528E95F82AAC4763D47299937943897430A23D1AFAE43FB7762C0
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.....................pHYs...........~....2IDAT8...1n.@.E.....%r..........O..t.#..p...p.(,.J.,+M,......58...f..hv.&.D..5.....p...Z..Vs5.(rm.<...D.2...\....R..".{..J.mN.2. &.P.......W....ins..:.....My..c.~_80..w.../..m.....ML.,....mV..eo.1......m..../X.M.K...x...7.v.V}...l..Y.......).).W...{....a.....KD(..,..r....5n.XO0.Z...3X..0.....#y.v(l.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\20x20-away.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):374
                                                                                            Entropy (8bit):7.165577891575343
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:6v/lhPUWsyWY1AukoKtYiK6gl1l5G4WQtSHuka+vQf1RnPxi2LeF4317q3ENa/DD:6v/7Jsy9AukPZKRS4WoSKOQzhLeCl71w
                                                                                            MD5:3EE9E58CF773F52DF57B0644053E9652
                                                                                            SHA1:C8389A7217139EAFF8561141470B3792188EFD77
                                                                                            SHA-256:3139AE75764E485D52C73458F0A78ABD9D0CBBA78B55204F5045FBAEC49F39D8
                                                                                            SHA-512:912E822018DA19DB4FE03267FC5A20A816FAEB06324AB6AC2DFCC5E5BFF62143E7A22CA719DF2F4D15CBE11DBF97980E916C28C52BA384924B296DC0295DD1C3
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.....................pHYs...........~....(IDAT8...=J.@.....q+-. d.2.........@a...[{...B*...T.....,M.b"...g...y.....a.........:.%P.c..g..p.u....,.LT..Na]E.mf...%..T....e.w..a...'..)*y...t. ....x.E.T..<.a>.C..%..."......d.F...p.j,-.G7..6...[+.M..iP*...]a.....B..y..%....Z..{.qp..........c....D.:..n...J..Sh....@.|2.^..-XG........o.1..7....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\20x20-busy.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):273
                                                                                            Entropy (8bit):6.712556800600435
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:6v/lhPUJV83+t7AsGEZviVOjmggIu0BOGxYtA+QUbp:6v/7o5XZviVNIugct1
                                                                                            MD5:3B21C3C5C0CCD6F5A93CFA4D92B26D6F
                                                                                            SHA1:FF2985E3E079398953E7EBC22B7A954EA3E7D2D6
                                                                                            SHA-256:25A85942E65376FBD345546FB4CC169C7CCA0288F7962E5DDC57350539A9BDF6
                                                                                            SHA-512:C392FEF2614A7CE133E624E0907B76B20F3CE7949C1B304279FC4E480B43694543022735D2C9D73B40BDB9DE15688996796CF1523E82B096F45702601606E4EC
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.....................pHYs...........~.....IDAT8..... .....g.g..S.Q<.G.7r..?A<B..) ."...)r-.................30.'k....#p.8e..8.w.K.....FG.`..'.*..b...B`..........(..\..5k.+|i..*.r........T..wH-....F.TA6.'k..%....S.a..L..u...l"....^.AL...7.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\20x20-dnd.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):337
                                                                                            Entropy (8bit):7.100762070349337
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:6v/lhPUiUm9hLEJ4RmzGtkAdSmK5QZ9Gu/eTcSOaEqJ8pI1A5KY/e/yYHMNp:6v/7vAJ4UzQkAdS95QZ9B/ScS7EqJCIq
                                                                                            MD5:A543634EE221F009906AA36C87E23B7B
                                                                                            SHA1:11AD80DEA866AAAA4E415E6C9768C72EB5C5E911
                                                                                            SHA-256:BAB431117FEA66AA9D35F4E1C2F5533BB9D91D41F0CFA6CC006C3D176AEC7A9E
                                                                                            SHA-512:2DFCDC9EA19D64E692933B7F182E9484946B45B26E16C965FE4B6F402720D7A84BD63A0EB91376696EF4B0810F0C7E431FDF31A880EA8C89D9008E6E482F8E38
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.....................pHYs...........~.....IDAT8...1N.0.@..J !%...01...CN.5..z....".....S.......0.H.c@J....g;..[..O......0....+z9....v.....U..E/UP....../.(.^..z....X.(..3e.t...$.....f..XT.15bQ....]l.\n.......)4eV...[...[...._.&.:.."T....c..Qm...,.]D3VH,...m[P.AV....Z..2.nc....r.Tp.....'...|..6a@...!....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Badge_1.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 17 x 17, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):14729
                                                                                            Entropy (8bit):1.6059202384282871
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:K/6fSN+k29W8sEvOxN+Y9VbYPNBClgmsc5pJ7Fo526:KSqskEWRHxNXVbIiVsc5fFq26
                                                                                            MD5:2FF54E7BB062515BF79325F80669D842
                                                                                            SHA1:91B040C281C89C75DA10813A1CCCEC334822CB0E
                                                                                            SHA-256:D2AC0D43731B2B09D6326BDA0ACF3B3752F85D8473E8C50D5E1BBFCA930C5159
                                                                                            SHA-512:2DAECEB313E2514416ED410EB8C4ACC65254EDE5449E9424E1F67E6CDC4D362B5026AC3ACFBD7347EE27D0878C3C4F6597715A20D6316DC34965E5D9CD8F8F70
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............;mG.....pHYs...............8$iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2015 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2016-08-30T22:05:44-07:00</xmp:CreateDate>. <xmp:ModifyDate>2016-09-01T12:58:47-07:00</xmp:ModifyDate>. <xmp:M

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Badge_2.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 17 x 17, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):14853
                                                                                            Entropy (8bit):1.6935905159259363
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:K/6fSN+k29W8sEvQxN+Y9SbBCAcsc5pJ768shF:KSqskEWRNxNXVsc5f68shF
                                                                                            MD5:D23825A9327DA40A57ECB4ED8F089ACD
                                                                                            SHA1:A3CC53BF737219F474BA19340CB3CD95FC832794
                                                                                            SHA-256:CE641CCC0C9960692442CB9112E83A3FEF369913E1EE94CAEC5FE4BD313A7DCE
                                                                                            SHA-512:D45BB7EB9371D554F176F2935185C2B2A047DBAAF12F0752598F5CC53200606BC750E5F5208223A347651F81B564D16E4A96A05D6C2FE6F83F7F74B1D3DD788F
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............;mG.....pHYs...............8$iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2015 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2016-08-30T22:05:24-07:00</xmp:CreateDate>. <xmp:ModifyDate>2016-09-01T12:58:33-07:00</xmp:ModifyDate>. <xmp:M

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Badge_3.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 17 x 17, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):14869
                                                                                            Entropy (8bit):1.7085477752587221
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:K/6fSN+k29W8sEvJxN+Y9pa1nEBC5/lsc5pJ7H/xFiGm:KSqskEWRYxNXpa1b9sc5ffNm
                                                                                            MD5:8FB53B235367BE60F8D5F35F91628FD7
                                                                                            SHA1:FF9A9A1E25568244F269D5B8C3A191C7B592A433
                                                                                            SHA-256:5BF4E3C71A89685E65450CD4EABB792A90BE1ED84B4C0987312AC78635B3983F
                                                                                            SHA-512:8A9D7AB3162F2ED045ECA07DE4587CB3F1C3DAAE87280EA3F03608D9CFD4BE943683D6EF389C43BDBC3D0C3A9A9407040FD0C858B15D0180B0CE2CF5B94B3C5A
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............;mG.....pHYs...............8$iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2015 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2016-08-30T22:05:03-07:00</xmp:CreateDate>. <xmp:ModifyDate>2016-09-01T12:58:21-07:00</xmp:ModifyDate>. <xmp:M

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Badge_4.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 17 x 17, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):14822
                                                                                            Entropy (8bit):1.673690552172562
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:K/6fSN+k29W8sEv55OxN+Y9IekGBBC4kSsc5pJ7S5wep+r:KSqskEWRXxNX/sc5fEwXr
                                                                                            MD5:6C1DE952A64E943C6EC75FCD7E6D74BA
                                                                                            SHA1:9569F91BA632FD0A8A0508FCCD6BE2BFE8673193
                                                                                            SHA-256:B92FE14C48E5552216BD7E762EC66E60091C167DC371424C2FE6EFFE3FDC2D89
                                                                                            SHA-512:2D31912D5DC0E5127D1B53966625723CF233242F0DC6FBF1BCD53105329370DF9C7CF01D29062EBE4E20633ED19FD84E012E5C33DA58D58EDD4DF33A14236D20
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............;mG.....pHYs...............8$iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2015 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2016-08-30T22:04:43-07:00</xmp:CreateDate>. <xmp:ModifyDate>2016-09-01T12:58:03-07:00</xmp:ModifyDate>. <xmp:M

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Badge_5.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 17 x 17, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):14828
                                                                                            Entropy (8bit):1.6770066789318225
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:K/6fSN+k29W8sEvmxN+Y91hOHjBCFKWsc5pJ7qTmS9mcYF7:KSqskEWR/xNXPsc5fME77
                                                                                            MD5:8339EC04B232FEE5E0A104986104FD63
                                                                                            SHA1:041989869C72A1233E0C92490587A7D7914BBC05
                                                                                            SHA-256:9E2AAD9C4DFEDAA9FC04714399602E841409A07F746104258C451200518A3485
                                                                                            SHA-512:E7D22D93603791D9EE673A431B6D430FF5C0BEED07965392AF3354CF71CFA0B8510A0108E697CCD1C6C55022F8B1DC8B1FF0825939D37EF925435F9CE5FA98C1
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............;mG.....pHYs...............8$iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2015 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2016-08-30T22:04:21-07:00</xmp:CreateDate>. <xmp:ModifyDate>2016-09-01T12:57:44-07:00</xmp:ModifyDate>. <xmp:M

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Badge_6.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 17 x 17, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):14869
                                                                                            Entropy (8bit):1.707497290815052
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:K/6fSN+k29W8sEvaxN+Y9S9BCWysc5pJ7ZMwlNB7Fo:KSqskEWRDxNXzsc5fZb7Fo
                                                                                            MD5:68EE89B3A53962726A35D9B7B847B428
                                                                                            SHA1:69DAAEC6106CAF9266D8DC9FB696282038BAFF1C
                                                                                            SHA-256:F716132F99A7D73C73CCBDCBF2A139AF2BCED9D7B6C4D273B324741C4D59329F
                                                                                            SHA-512:6E3996E9C9879100B871097F5F621EA541F5F2DE084922DE1333DCD16F0FB7CA5D653B316D04F2E353B1A2BFBF601052EF213075DA7CFE9CC06CA65E75CBA8B9
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............;mG.....pHYs...............8$iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2015 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2016-08-30T22:03:59-07:00</xmp:CreateDate>. <xmp:ModifyDate>2016-09-01T12:57:29-07:00</xmp:ModifyDate>. <xmp:M

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Badge_7.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 17 x 17, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):14794
                                                                                            Entropy (8bit):1.648458805280273
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:K/6fSN+k29W8sEvMxN+Y98g2WLBCsSEsc5pJ7k95d:KSqskEWRZxNX8ghTNsc5fKd
                                                                                            MD5:DCA5BEB35DF60969EC106B038FAAEFE5
                                                                                            SHA1:9EAB86B813C46B03BBCBE5954150B15A0D4C7F91
                                                                                            SHA-256:6FBA76ED44FBBC4C3AF83BF4E1E62582649C6AB6B3FC3373762E9288E907C856
                                                                                            SHA-512:9F04F01CD1C38DC7AAE90329291869B5301B8B2301020F2EFA385FDDD97D4B815F7F46D5B02024BD29A7A2E6F9597D75CBAC75EA717C1C8E77A7091159B420C9
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............;mG.....pHYs...............8$iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2015 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2016-08-30T22:03:39-07:00</xmp:CreateDate>. <xmp:ModifyDate>2016-09-01T12:57:14-07:00</xmp:ModifyDate>. <xmp:M

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Badge_8.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 17 x 17, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):14853
                                                                                            Entropy (8bit):1.6888815601045664
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:K/6fSN+k29W8sEvMxN+Y95E9/sBCpnQsc5pJ7/lzXzOrZzB:KSqskEWRdxNX5E1TQsc5f/lzX8zB
                                                                                            MD5:30C347F772E309D7752B35A49E34933B
                                                                                            SHA1:B1591B1FAE0B45DA07F0D3AD036EDC480B0A2779
                                                                                            SHA-256:88A0836CC8483CF5A721ECABC3575FA039D2EAA10F0B5CB2AC00B5EF4C3659D1
                                                                                            SHA-512:47B44CC0D3EEAD7D52C6E807594969DD9AF53FDEF21487BCC72CAA96D5D0E6D1F8FA77F86EE811D4BD8B28451B446E774D44A47D2F8F72DAFC07EBD55BC4D96C
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............;mG.....pHYs...............8$iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2015 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2016-08-30T22:03:17-07:00</xmp:CreateDate>. <xmp:ModifyDate>2016-09-01T12:56:55-07:00</xmp:ModifyDate>. <xmp:M

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Badge_9.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 17 x 17, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):14877
                                                                                            Entropy (8bit):1.7123135775491303
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:K/6fSN+k29W8sEvtxN+Y9MTnW+BCctVsc5pJ7yFDaYt54FGNz:KSqskEWRIxNXMTWozsc5fgD354Fmz
                                                                                            MD5:F672271EF7CE289B8C76CC648041D8CB
                                                                                            SHA1:4D517DAD85B210F93DFDDB10237E9D3C3FEB8616
                                                                                            SHA-256:D35B658DA75D266819BFDAD1DDCAFD5EB48D28452F2AB5D3F85BAE65ACEE7CC6
                                                                                            SHA-512:806B9319333235FA5B8FF0A2E4027D60E9FDAE84A7498CAF64DC4BA444E6D9EB88647157830AD49E91F2DA7327DEB929DB22A882CA9B58AB18D42741336D71BD
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............;mG.....pHYs...............8$iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2015 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2016-08-30T22:02:51-07:00</xmp:CreateDate>. <xmp:ModifyDate>2016-09-01T12:56:40-07:00</xmp:ModifyDate>. <xmp:M

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Badge_9plus.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 17 x 17, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):14888
                                                                                            Entropy (8bit):1.7213169660149799
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:K/6fSN+k29W8sEvxxN+Y9aXBCMZsc5pJ7uJZ+Lo82U0LpD1:KSqskEWRAxNXksc5fuP+M82PR1
                                                                                            MD5:D5E786725ACE46A33770FC282B2B6E22
                                                                                            SHA1:4415C3D13318797001484E4F970039C61223A38A
                                                                                            SHA-256:654DED5E5C35C63CF73DD2AFE7D025BAEAF279F4E416D472F3891CDA9A5FC7B9
                                                                                            SHA-512:B3F037CC1FC60A18584C31F93AEA43623B4895DF60915392A9D1CE1BD113244CF1172E0782103793C18224E3DDDF1DFD12404A58ABB7B85EB655622A29E11E0E
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............;mG.....pHYs...............8$iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>.<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20 ">. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">. <rdf:Description rdf:about="". xmlns:xmp="http://ns.adobe.com/xap/1.0/". xmlns:dc="http://purl.org/dc/elements/1.1/". xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/". xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/". xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#". xmlns:tiff="http://ns.adobe.com/tiff/1.0/". xmlns:exif="http://ns.adobe.com/exif/1.0/">. <xmp:CreatorTool>Adobe Photoshop CC 2015 (Windows)</xmp:CreatorTool>. <xmp:CreateDate>2016-08-30T22:02:02-07:00</xmp:CreateDate>. <xmp:ModifyDate>2016-09-01T12:56:19-07:00</xmp:ModifyDate>. <xmp:M

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Error-Systray16x16@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):850
                                                                                            Entropy (8bit):7.646599648906913
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:sJuLjlhtJ68lhwe4F7r2crxmCGq+Dx/l3U6ucUT:KuLjlJ6kM7rhKDPucC
                                                                                            MD5:AEC40C9F34B7A27A4D6F98A5FA3FD2AC
                                                                                            SHA1:19E3262572F07449A819448C6FECED82503B0FF1
                                                                                            SHA-256:FBC07B36A9A6D004E37CCD793A0F3A9F03CFE6E7C42B32325973C07F7EAE7E99
                                                                                            SHA-512:8BA600765C077A05BEFEC2E1C75B1EA47592E1F1BECDAA96210493CB2FF4E438CA1437C10C43AC709088F06B33D5822A5186BC4949AF347B578046DD63281501
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....IDATx....p$O....37F.l.m.m.....p.m.6&.....2;..l..S...{..7.....}w.N~..pR,A...t.#+..vah......U.zIA....#1q......&.t.%.{..,...f...ch...).&C..s. .L@.9....,0a......:.....P.;....=...............;...H.`.l......E(=......v.J/....u4..=.$.a....X.*".5..B...9..6.~Gm.7z.`az,N.^+y.`.Dn......&.r8Zi...%.!..`".i.......vDB.*O.`Bix..#..=..h.'.v.A.U&..H.hv.M......B.%..._.W......TS..W.*..`|....y...9...|Sn.Ga..!.f.q.....?,j`p$.*...LIm.f9m.@.>kr.o..'..`/.3\...k..ah...<H...mW(.......G..........5...].&}.^}7.+..-.8../.U(..............W.z...~.z.........qb..X)...Bo.(.<...e1h....W.C..{.&..'0.........p@9...U<l...=..+O...}.8..z..v...-....`..x. t......F.....,....D.V..`..G.P#}..L...."..[u.N.......j.[.p;S.,.....0d.............s$)t.3._.v.W......f./&..zon.E...I1..6....S.....0.....s7aEF.~p....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Error-Taskbar@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 26 x 26, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):809
                                                                                            Entropy (8bit):7.5594332215386215
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:OgFrrm1UohmnW4VIze2uwyFzMauJqB7N0nPO:OQm1xhmnVIze2uVzMa/N0G
                                                                                            MD5:ED5909A643C1B64C0860C634B17BA870
                                                                                            SHA1:ED78D5490398ADAF6015075A7B4831058A5F70DE
                                                                                            SHA-256:8260CB14ECDA3C50BDE20986AE5A481A200768CCF7B0D003F2E570CBE67F1107
                                                                                            SHA-512:50A86F8C29A723B8A5C3F3F099E6D57BDF6856BE5B682BFEAB48CAAAE08834C1E845747104CC4D7AFF59C4885C49B39110A8910282C039BEE20C06C246FBB432
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR..............JL.....pHYs...%...%.IR$.....IDATH..=H[Q...7_..DC !.)1.b...8...P.fh+..7...A....SS-"d.....E...!R..-..HH|$......K...M*N=p..=....=.1".M..7.....]..........Oe.."..6...1...............$..".Z&........I.T.H*K.1..y>...6......a6.M.45....?HTM.a6.....p.B.P(.$".R..[......'".P(....'.&.x.O..?".%W.H<.'.Q]...H$.5.Z.(...XY?....i..0.Z.".....+3(6.V.L.o.....UE.$.*c7DvA..=&...[.7....sH...#".}....X...3u9O.[I.F.V...U_'D.A..z..,+.i.r~.z..P.....c...,..E*l....\K....ON,r.ga.Y..).........j4.q=..zU*...p8...P.jId.8.22....xa...;[...*lhF.=...Y..T.j.q...u.}.................B;.~.2..<._.H...x.w..Fg.....L.0=WR..I..[b.....].ljBV..g.zN.R.e....X[0.~W.(...}>...Uw.......J..T......<C.;.xk.1.b..gO.44.>.*.t]..;...<R,...\......}=.t.&...f._./#...e.G...)vM.%GD.....c...{`....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\MicrosoftTeams-static.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):11977
                                                                                            Entropy (8bit):7.875467681340248
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:ZCyS8Gu0ggg10lsB9QOJqmQXHY9uEdlBsyFoz7PHMb6DHUjeqwnOLn:CVu0m6xmK03BObfH2eqwOr
                                                                                            MD5:D176D52BCA49B0251145F0D2E771FD3A
                                                                                            SHA1:FCC3AC197579560E01267BE8D1326B990CC79FBF
                                                                                            SHA-256:3A32FFE8257806362AD8DC95920BE0CEC7A5A1B4ACF476C07F423890AB298101
                                                                                            SHA-512:A44BF00E46FC41516CB54354D85D650111E21A95E742731DCF64CE235A328F6F54AB7E6C90EC4120910C0F72E70AD9206781DE3D83278CFF48E07BCD3972F59A
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............\r.f....tEXtSoftware.Adobe ImageReadyq.e<...kIDATx..}.....9..=3.....W...DA...]5...5FE..#j......F.5.].1.?..-1.&...A..."..f.d`.a.....WuWu.:}....U...St.tOw.z..}.s..L.A......4............................................................................................D%C4z.c..S=...+A..C.(.....i.....1.h.#..(y.#..Q..(.Kh.._.|!.......O>||..B./.#f.....|.=...'.....5.`..WVJR.T.......@..S.@.....Zd.7....2_`.KR...}.)..4=..D.....[.......h..{.L..>r..I@.@..>K.;..:Z..=Y.oG.d..x.....5....!.......7....~.........(S....E.f.w.=./...T.O~.j....k...'..E....tt..u_.....5......!..w=.|....C.~%.....e....6...E.M...&...b..a.qE.(..$.............B\@.......:.....(.L__....z.l..A..@X...{6~K...Q9.D.......-P.`. ,..(.DM..(..?.1..6{L"......y...et...1..F.y....Z......o.c.?7...(....s.~....@..B/....~"..Z.0...z.....B;?...-.b!.....|.w......V7..0...`F..g.x..=.r..X.+.A.....w.........1.;+.pd|k.Vyw..*{."....y.\...M....../~...~............[....".....x.........B..DJO....

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-Activity-Systray16x16@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):2031
                                                                                            Entropy (8bit):7.878956854443785
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:UcrNpelbtDQTcg348iFtzxUYoz6buqmmastNVf7:PrNA1tDynivlUh6S7gtD7
                                                                                            MD5:660CEAD0B666C9A632C38A7D417E0B7D
                                                                                            SHA1:1DF4395EE940A4FD76313BBAFC4C020E5628A858
                                                                                            SHA-256:1C5A79487A33369D025985767BB618C8AEB743449D7A0DF56923390FB858ED60
                                                                                            SHA-512:56A770557B6147D2A12EE9E183E6267DCB00287CAE73B9334AB781BEF82138E1D14BD77992E4B09D67DDD330A4AD95C204E08986C7480690DBACB838C2667D8A
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB.........IDATX..VmpUG.~w.|..&!...$! . -......v*..`.X.......t.....H..t.j.F...B!.J..h[D1Uki..Eb....@I 7..._...}...@C...=.....<...Y..sc.....>;...Ts...MVX.......".yK..-.R.[.X..x....{z...z=$.......}.y..6).2$.x......_0...]...-.c..y=..G@.w*?+4....b.[<.......:w}5Ksm.;k....Z.L|. v..-.....l.K.l...w..E..Z.Ry....R..$[..Gs....8..r.R..Je~.v.O..x.E ...u.&..5..n2..i..8c.R.bZ...(.d-.<..8.`.R.m...5Zg..|h....>..r.%..W\.#.+%.....R.j.....T..Lk...~.=4.F.X...f.......J.Q..+.pj.6o....u21..)..`.&D#..y..7l.e......\....]B.BcL...0..(d..y.....\.....eZ....9H`l...+.~.'4x.,...S...fF..w...w$i...'_.U..%..S.."..Hy.K?.y...Z.ERz........M.S.y2.....E.\.$2...%..t...S/...H..:.6p.X..G8wZ.|8.;.....P....",*...:Q.l...:.h&....#...}o.b..D...d..)4.'......VE..r.A.eY...D..'.!........v"..}....:.y..I.)8...{..w/_..#y...q....*.T.fT......R.._hzl.}vn.G0.a.%g\..&[....>..=..{A......B/}x..S..\...o\..>......>......U...3w.eT..?...4..=..3G.YFD.Em...JyL.....C.....

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-Available-Systray16x16@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):826
                                                                                            Entropy (8bit):7.715748580322733
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:QeTlUweQzsTQGOXosmEytV6LGKvqdsQGV:QSnrGRfVjYV
                                                                                            MD5:76E9F771BC71BF5BBE0E94DA2A30FCB8
                                                                                            SHA1:C0C5CE03B89D2143F8417FD8C9FB048CD5E9956A
                                                                                            SHA-256:2E3D2A248287F8F0BE738F65689919BE11A63B8CEF0D29316C49A0BA3B8CE951
                                                                                            SHA-512:F5B1E2DC13CE591A9244C136534301E1EEEB6844CE8A4057A1DC2F557081E7DD3EC08D4DBC34027AD799BE484EB6959209731FC6D1A6769AD3C2F8B648AAD78C
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....IDATx......O....Rl..BT.m.mg..,.S.m..1...d.j...[U}....}.6...!$.:c...N..].}.ky}NH..6.CU.8...U..%.! @.[.k.'.....K.;.......f..2.p..A.#.. ..9Hp..z.!'.^........J0...Q.... .ej....../g#.7.A..{4...6..@*..KF 4..V..Bi....`..i(..a..j.'...d.......XHH..23...V@QT>...=*.=..a.yj......sl>e....."2.....<.....V...JDU...@T..X.*6.+.z..FW..e.1...%.g|.l.....8.a........,p...W&....>..............._....y.$..w+.3...#"......o.l.A.....Dl..S.BZ.-k..U.$.L".Q.Y.M&S...?..{..k=.......u;.....A....7../.....`.a.H...E.........F_p%..z=s_d..I7.f..}.S..6.x.5..c..H...-....6^..../...........H.....t..r...h.W.(h.8.j..v...-......c.=&......Uq.U.m..k.....Ow<+..s`PM..O1..p.Q.Gq..9A.T.......dPUE.NX.......u\ ...H.!...,D.. ......38.L....!/D|......q.c.u$...8B^..-.....f....ty_.~......IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-Available-Taskbar@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 26 x 26, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):675
                                                                                            Entropy (8bit):7.586861262688589
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7XqV4Sf4OhTDLFrwaTtJpJLL8Tk6UMvwzbl05ANGHZm8uSZsFkhw/iG6:zrDJwYdJLASMoHl0iN8k8wFkh3G6
                                                                                            MD5:C3884CC8AE7433A4030812A6411A6C2C
                                                                                            SHA1:85392546E6A214AB6CFE645FD2D3FA1831C3836E
                                                                                            SHA-256:FBA14A73CA6E8F75E821965CC48D84DD23C2227DFC82EE3A2FFDD583091E6E3E
                                                                                            SHA-512:184F82C872787AB32B6836A38E58AD48406B4E68FD2F6BDB737385BEEA3458491F684C1E8C8588809E3AD36F4287C29F8AA703DCF7A0540EA55057A2A63491DF
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR..............JL.....pHYs...%...%.IR$....UIDATH...K.Q..?+[j ..Q..@N*.v.Qr....e..B).....^{*.Zc=x4....U..V.DO!.@.....L...k.M.B.C..i.....YED...%....Aj.........}..\.....[.>`._......./@.i.....m.+...yd....W...7.S.6!.i......IF6.CV.iY.e.1d.$#"".u.l...0...(./W.4...O.2Ww.O........XD.......~..Z__/.."..%..{].|.I<......U5.d....g./....zZ%..H.<[.ZB....P.l../...m{..V.E.zG..N.&f...r.L...{....Q.\..5&S..~.jA.0.`4>R.d.h.DC.1..@.".{W.X.2....b.....0@..[..m.!...B..5....O.-.anz.>.d.XDo...y;;;..Z(A.s..9..Z..Az.hm.n............n26`pqutX...r./........R..+[l..5...u.........`};....K....}...Y,.c%sDC....K.@...M.......1...t......;f..p..?.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-Away-Systray16x16@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):778
                                                                                            Entropy (8bit):7.640087957587639
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:XIvtZgSmzYRjgNBTenq6X10I2DFxrqydzrVra:0bB5RjgNQnq6lN2hxrqqxu
                                                                                            MD5:CE5B63679D01546956C7F94BD6C6F0DB
                                                                                            SHA1:F6620052FC252FB5CB1933288B79B9A9BA715B05
                                                                                            SHA-256:E056314EFE0E988A266AEB80EFCF0A99E114053D026BCF4A92DA1678B932E820
                                                                                            SHA-512:A5267EC50F3416BBCDB21C9C07907320ED36473060F1D2BEF0105E45EADCA37AC88B93C0EF10900A35573217C1B56F3D5D0CFBAD3A01FEAB6A79DEED90803C52
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....IDATx......Q....j+..*.m.m.Y..'.m..lk..9........[...].....X...ry@...1....s..+..a(C.C.k..P-)......}....w..}}.>.'.7..%.hv......8.8......A.p......t.k.>.w.u.....{L(.hv..n.>.jh..Wr......^Y.g........R...%g+...f.......i.=...t...H..".i.......!.Q.dgK..+.$1>...5..:..a.y.7.J...K....3>P_...3.a.i.....$..ES.G.+..-..T`._..f~.A..tk.....q+.cC&/.... ...q..}.=....K.V....Y.\Fk.....|....*..7<...wJ........~..)...]S...M.h.v..W....0....~.=...M...Y.c.E8S.2).X..^.9%.....-:b..*Q..........[.....$@.......u.....v]v.P.C..H...RE.k4057.v.V.n.|:.67......H.(p..Z..h.t..v.i.Y...[.r......\........2D^l..E....D.}.y.n..,.B:X.QA.h...#....=.A(s.......>..".....@b.k../@.i...9..q....,N .'8....q.."a...a1.q....;H"......i.....fD..9..X_^......IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-Away-Taskbar@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 26 x 26, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):630
                                                                                            Entropy (8bit):7.429308116382508
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7z04viy3r6kkCbvgRsikkTD9CflP9QqLry0RurN:OaybnMRsi7al97nd8
                                                                                            MD5:F19186877B2661C7A95F32BFAE8FBCDB
                                                                                            SHA1:75FE3F5E2D6ED0E729F25BF0763A50235BE91249
                                                                                            SHA-256:B4C2BBD0955DAD8C3941A7AA94466805CA97F25DBB2FACD593AD37439782834C
                                                                                            SHA-512:F18F32A9376B1FBC166E02F2E65DBE3B904B5F9634D93B3A59DBE368E256FE14EB8DB254053D3E0657A3F2DD8E721070E581C64C8F0F38B745D7BBA0D0BD505B
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR..............JL.....pHYs...%...%.IR$....(IDATH..=O.P....:...$PU...)...-.(...[3%......[w...N0y.....)[.,D.C8.:....1..C.%!q.@Q...L.9..8.9W..4L...?.......!T.q.Z.'.@..;0n.......-..P.P..$9..g..I).[..)..um.J).....j=9..t]/....I...z....>u.b.~.$i..W.......FAT.Y].K..8~.J...[.0.Z.~.J.u........#!.<.y....V......gu.5m@DW..@...71(i.......g..$/.Q./.\.js).;..P.,..AT.KI)..$..j.......r.7.`.:....7..,....4...&.i.M,PZG..&..s...L&...oM...b.kA....I.^...r.l.."..G..+..B$.PR..d......j.k".1......Lh..;.m.j.k...@-...I..."...P.o~...Y.H.q|R1...z.`...........cd.NI..w.x'J..#.w[.{.. .+4.Z..M.5..........Q.....l..o....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-Busy-Systray16x16@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):719
                                                                                            Entropy (8bit):7.600289432124494
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7ia4IFY3rV9orl4klm4CYBSnkurLF9Ov/To+sOnpoQkEXhJsAkEhzgu4:gvY3rVTSrCYBKrLF90rtFzgu4
                                                                                            MD5:A3005A327B19B7978FEFD5BF2455998F
                                                                                            SHA1:56EB3CF0ED9FE45195B4E437C1EA6D6B35D79BE7
                                                                                            SHA-256:373968F8C0B5D17C6144ED79F0363277B6D478BE7949AA032D077A7B80599854
                                                                                            SHA-512:18D11DFFCB504656AE8523B299FC1191DD990C82888BB1C3291EC267FDEFF3CBB115D0220EA8749FE12DB0610B44ACDC1B98AC35839CF99B0C10A36B60562718
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....IDATx.bp/.!.....n~.....{9...Dax.n.".m.x...m..k+...m.wO..)...\.M.....;.......~l.s.p..3d@C....%.....g"".\...ck...=.x..l...N..u....W..x.2........>r...,...-..9t&.MR....>.$./(z...}?...^.... ...P..j...#C..#fA...K... .$?C.&t,...@r.....#....:q.o...5..S#M...P.:......H.&.a......kY=..v?...xl.g.`.."L*..P.... `..q...r.w.e~..S..FN|9..[Ac.r...R.U.O<>.g.'.#'.X7f.......p....J..^N......<T;h.s.`.......D....S\.h.f....:!m..........k.@.f..T......?C..B..]....>....V2r.L....K..j.g$......h........@88X;....3..M....5....-.=...n'.|P.t..........h...(.....K...oE=L.'K.8h.D. .:.7!.. .\|.m.H.A..?C..b........f..>f..r.."<Ya...........=f...O.#.#....H......s.......IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-Busy-Taskbar@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 26 x 26, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):610
                                                                                            Entropy (8bit):7.5437326286996615
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7XqW0TM6K4jLHBzhalQE+6KMv6NaSIrGgL:8H0w6K4jFElQEnKMvQ1ISgL
                                                                                            MD5:3277C3F3547CBB4B726E60A82CBD3C0A
                                                                                            SHA1:759EFBF170BF7A968ACE14CD73EC89DEE122DAE6
                                                                                            SHA-256:80EB681A8AC10F5CCABCDD0A9BDE22490B246131A1F916F4B9C0F235F49A2FD9
                                                                                            SHA-512:88344DB14B64D5198CAD991CCF1F56EF3FBEB6ED068E26B0D5818B4C44B6E2C7483A041AF68C36DCA5C137CE41A0702B20156A0B61E36417F4CC825E3DC06040
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR..............JL.....pHYs...%...%.IR$.....IDATH..K[Q....>.......f.3.+.A.A7. 8.$.:.Ep......KAWQ..NEpQ.E#.b.E...#>1........:....;..{.9.j"B3.C..?..t.....@..?X..e..=...z[....`...._."R....CJ..b.4+...;.*..!.[.O..!..aLT.........O.e/1){.I.O..|qEDD*..a......z...3.c...4.....H....G}g )........t....i. R).?x>....xO....v=o!....W/s....c.9..K.Rj..5.q45W..P...hj...P.Rj..k....Q...{z./.V..d...u&...*.=......@~.P......@Kk....].Zv =......+.A.c.. '.i........7.].?.........aht.5(4:L).vx.e.*..........c..;J[j....e....}.Z.......3r.[_..3_w.........Lz.0-....@...7.D..........;...;.8X....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-DND-Taskbar@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 26 x 26, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):639
                                                                                            Entropy (8bit):7.532521537341042
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7Ypz0ERRYQsbkrEXLgyjAAUfutEEXMhk+Kn1vJbpSg+4SNrzU2+se7:dpz0OePAyLmOXMLeppdSNrXVe
                                                                                            MD5:79CFFBF81828E8DB5C689A4D0342D633
                                                                                            SHA1:25C405C6FF051546344E5797AF3DAB8F6545708C
                                                                                            SHA-256:C9038276189E344C0B6A50F17FE31749236BD1DFF6E4AC94867C12208238DE13
                                                                                            SHA-512:B74BD2CE9C745F49321952C884DDE7B5E653F4EA8320EAE85B24D092FA1A2F10F971720C519870D5895A1B6F983EB385272E12C93A066C9526E61BDEE974F65E
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR..............JL.....pHYs...%...%.IR$....1IDATH..K.a..?g...!.BmB3..b.E.8.&...@.\..X\.".......R.U.3.S....E#..E...#FL.t9Kk..R.......y>.s..|.SD...&.....}..h..(*...7.U....n..{.M..._.....O@.......!].... '7.`..t]O.C...r..j..)...ED..d+....l.&d+....%..)...5M......AT._...E.Z.nK&.....z&..Jv[...U...."b.#EQ.@.|Rx....C.%..3....EWj./O...G-/.=..k..|].G\-^...l].@....Y\-^...#.OQ..j.<.:..;~...y6g{..9.......7?........:.+...hqe.....:....}}}N..2..7...........$.No."A.t:].h~...l.#..'m%~.q...P...xG....;:L1..s...T.jk...1...!..NZ.c.m./..W...kZ..NM.f....].9....t..hn.\NM.f...........rM...S.....U.....;........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-DnD-Systray16x16@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):733
                                                                                            Entropy (8bit):7.655197221865182
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7iPQM8I8WGaTWrEdCR4zRWyhhIIbe5OkgOVju+MpDswjjfpVC+tjSdQwKUUlJ:1l8WGaTWr2JhhI8rkDMRjpVT03wa4
                                                                                            MD5:9EF1BA6AC89834BE4BCDF2652D91F9A5
                                                                                            SHA1:37BB5053B85C273C97DB452E100465A54BCAB084
                                                                                            SHA-256:C968C112C0C0618FFA946F66DFAC8A89C459DE386C68FFBDC57B08F55C494AFE
                                                                                            SHA-512:A2CD4D4C8AB04B993E038E066A48DCD9C7E233E2345DD5AEE4CEEE3A09006B12486E877E202313A23EA86C099E7EF2D131D8A9B1C16FB270A2D2A9ADEFC48290
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....IDATx...C..A..'\.....m.m.N..b......L=.L.z.s.Qw.....vZ'S,^..x....W...|....c*...p.......@-.........,......?.....L....2......P......`?......5'o........m.e..g...R.w...?W.^..u.y3.!.A...".t.K..j..,.!s\.. ....0.....i......tX..$..z.....2...S..HJ.(%E#M.....p.s...56R..x...[......}-#....m.X.".Cb.. .&.pR....Q.y..un......sV`y...].*d..Y..%.a:.zV...Gk98...E......UD5...|U.{.G.l....o....K..;.g...1..;..t...[..7..D.z.F..wjt.....\.=.....N./_.u5..!:C.t!ay/h.b.I..U.M+...%....C..T..^.@..B...K.....&#.........E.%..5....A.&...{..P..ID+..tZ..~.)^..6........ua.y...,6....g.?..G...Nt.8..`....=..aV..(....J$.....P..Xz.r.&......IK.D.3.....,Z.\.7...|..`~2.L/.x....am.mF...05...5....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-NoActivity-Systray16x16@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1887
                                                                                            Entropy (8bit):7.889588847495016
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:2cYMDkXYwILC2BDvSV+kVJsmmry81eCS77f:2cYDX4zDOBsy81eCCz
                                                                                            MD5:66B8A7879F873B338725C8B06BDEEF9C
                                                                                            SHA1:59113F7785B10BC695E5CE1C8B39026702B5DA3A
                                                                                            SHA-256:17E176E07B09A91E6BF4D0F5B8A9F3BB408DC4509C796EBD715D94EE2DBF64CB
                                                                                            SHA-512:3E8E671C8875E122DFBA16B2D5CA9EAD0BFFC3B9962344F59560BCC25055554D8C9290532320426FD027C7552A11DF8A2C134147B88D22B81936AB3C9D961F71
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB.........IDATX..V[.U....e.}.an...B..i..U.../.A..Skb......@...b_....m..mMJA2. -.4V...F.E....93B.38.9..\.u..._..s8..@.t..Z._.........7v..._,z......X.....^.Z}.D`.5F.*.....$...#.v....!q...z..7x....C.... ...x.....x`w...%!.*......!..I ..g...2.kc.=.........6l...p...[...b.?>...l..>.......m..Z...k.(...X.Q.....;.U^..'.Q..:~Tk...w..!.*.ss..Vw...\3....:hZqy.gl.2a..I..,.`..q.........|.v..S|bb .Ut.s.fc...W4..Z.....H...:.....*0...oY.|.71./7oy{......u. ..ba}.qn............q..o..S;.. .g.p..........E..h..\.E....D6OpVxPA...c0...........D.DsHB.0...x....$..thtp...#IZVf..u,...R.Vk.X.a(.q0.K.W..i4[.T,1>..........+.....Zx~..O......o...;..6IN.....;.tt.=.yn-.....=#..2de"S.4...".+.dK$..8F3A. .RYF.......U..g<..#8.&...._c.>....v.ls]7...e...(#...........;.q.1..8.......(...).=.....+.....eK..`..?..p5.h...9w.M......i.....^Oy.a...=r..6{....Uhe...k.c....{a.m......|_.H1...G(K.mL......%Fp.:^..B...:n...$..y...<..1...9..6.z+Q%u.....C

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-OffShift-Systray16x16@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):751
                                                                                            Entropy (8bit):7.657343452469019
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7i64ICoQNmtX0ZwUGeAgb7PpQdrJyIvFvaCegiBm/QOWnIJzJsw8nPbvTB1L:A7QN8X0aUGepmdrjvFiCegkm/QOWn0zO
                                                                                            MD5:160222AFDBF0DA6FF4270259EAC9CC7A
                                                                                            SHA1:161FFC365ACC545A7DCB427CCF648EAAFB41B472
                                                                                            SHA-256:2F185DEF8CDC592886A49D084F370547576C2E5A569010A73629CCB99AB4D74E
                                                                                            SHA-512:A5BECA160C0AC39AD2AC3AC3BBACF3729CFFCF9730DA5BAE83AF5770F3FDD1F99C675D4D43036C3162DF0DD095D91C9E694593474F4836019A8F9F70114FCFE8
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....IDATx.bp/.!.....n~....Pk9...Da..Qm.UP..m.m.m#.m7.m[k[.....Mng.t.]l.=......&...~s..]....C..p(Tf.........#1~.....?8n....>.o......:.p.MG.#...`s.........*sZ`.....c.A...'..l.A@.m...#'^/C.9...q...FO..M.\...C@.W.Q..B....g0..6./B..CFxd...H...*......h.JJ.(+S@Q.|&.FeT.:...."..XN.;....(.W....Q<n.}...v..........V..2..T`.K....-.}D...pIV..w..y-..e.^...l.YO:......3-...zx..N.....E.....1U`...5 >>.fhh.....e.g.*...........(..@.! ....v.t..u...4.v.$.U..wA..[..l.f4.\..".cbb....~......x....I$@......./>...p1.@2`XT)..aaa.4.O...*..{*.,....[.......U..t h.E.Q.F W*0d.....8...g}2..m.....x...:l..I..D|O.R.Y6..Q...G. ...+$.....@"....,D..P./...X......j.. ..g..../.7...d!..w.G1...z...)...?..#U..4.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-OffShift-Taskbar@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 26 x 26, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):602
                                                                                            Entropy (8bit):7.510184275333155
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7z2GQA2a+O5p5FKcgaSq9iA9W6u6qNyHc4+roo/e+W0C0tN:i2BORTpgaSq9RY6u6Q+o9CkN
                                                                                            MD5:A1FCF1611EDF144263CCEE6DBD435028
                                                                                            SHA1:98ACE5AD5304BFEAFFD090619A942286886C088A
                                                                                            SHA-256:98301CB2E7EF13C92207FFEAE491ED29EB7F47152C14E571F6FAB928F39F4916
                                                                                            SHA-512:E414492BD6C0B187F655F198C739EE7D3BAEF31AE999DB3C0072DA2804C12A75ADABD537941A3C59E682DD3B7B7D87DCEB66865B1BAF7F8C0A5448E88678903E
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR..............JL.....pHYs...%...%.IR$.....IDATH..1..`...D!...qS.d.....w....B....D.w...M\...;t($.!.k...qH..t..b5W[..}...I..~..p...I.A.>.|m..(e..T.....O.]..9...s/... 8.^.R......Y..m..R...zO............"....C>t:.F.....j.0.t]G.4..$..}\.%..m...r.....BPn..N..0....j5.4M.....a..8.Q.%....r...|..="rv....h4z.N.....8.e:..h4z.....9...oYVWU.i...*..i.....M..@CQ.rQ{W.r.....q.S.....A..=`.T....P*..u].z@u].UgV.@.V.U9.q..k.?).u..W...`..^}p.$..v...}.j....i.|8........].%..!a...............E.ek.q~..e..e.:.@D.o5C..m..(Jf.Y.a.l6#....a...MBU.4.....]...^|.....p!e=........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-Offline-Systray16x16@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):751
                                                                                            Entropy (8bit):7.657343452469019
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7i64ICoQNmtX0ZwUGeAgb7PpQdrJyIvFvaCegiBm/QOWnIJzJsw8nPbvTB1L:A7QN8X0aUGepmdrjvFiCegkm/QOWn0zO
                                                                                            MD5:160222AFDBF0DA6FF4270259EAC9CC7A
                                                                                            SHA1:161FFC365ACC545A7DCB427CCF648EAAFB41B472
                                                                                            SHA-256:2F185DEF8CDC592886A49D084F370547576C2E5A569010A73629CCB99AB4D74E
                                                                                            SHA-512:A5BECA160C0AC39AD2AC3AC3BBACF3729CFFCF9730DA5BAE83AF5770F3FDD1F99C675D4D43036C3162DF0DD095D91C9E694593474F4836019A8F9F70114FCFE8
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....IDATx.bp/.!.....n~....Pk9...Da..Qm.UP..m.m.m#.m7.m[k[.....Mng.t.]l.=......&...~s..]....C..p(Tf.........#1~.....?8n....>.o......:.p.MG.#...`s.........*sZ`.....c.A...'..l.A@.m...#'^/C.9...q...FO..M.\...C@.W.Q..B....g0..6./B..CFxd...H...*......h.JJ.(+S@Q.|&.FeT.:...."..XN.;....(.W....Q<n.}...v..........V..2..T`.K....-.}D...pIV..w..y-..e.^...l.YO:......3-...zx..N.....E.....1U`...5 >>.fhh.....e.g.*...........(..@.! ....v.t..u...4.v.$.U..wA..[..l.f4.\..".cbb....~......x....I$@......./>...p1.@2`XT)..aaa.4.O...*..{*.,....[.......U..t h.E.Q.F W*0d.....8...g}2..m.....x...:l..I..D|O.R.Y6..Q...G. ...+$.....@"....,D..P./...X......j.. ..g..../.7...d!..w.G1...z...)...?..#U..4.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-Offline-Taskbar@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 26 x 26, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):602
                                                                                            Entropy (8bit):7.510184275333155
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7z2GQA2a+O5p5FKcgaSq9iA9W6u6qNyHc4+roo/e+W0C0tN:i2BORTpgaSq9RY6u6Q+o9CkN
                                                                                            MD5:A1FCF1611EDF144263CCEE6DBD435028
                                                                                            SHA1:98ACE5AD5304BFEAFFD090619A942286886C088A
                                                                                            SHA-256:98301CB2E7EF13C92207FFEAE491ED29EB7F47152C14E571F6FAB928F39F4916
                                                                                            SHA-512:E414492BD6C0B187F655F198C739EE7D3BAEF31AE999DB3C0072DA2804C12A75ADABD537941A3C59E682DD3B7B7D87DCEB66865B1BAF7F8C0A5448E88678903E
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR..............JL.....pHYs...%...%.IR$.....IDATH..1..`...D!...qS.d.....w....B....D.w...M\...;t($.!.k...qH..t..b5W[..}...I..~..p...I.A.>.|m..(e..T.....O.]..9...s/... 8.^.R......Y..m..R...zO............"....C>t:.F.....j.0.t]G.4..$..}\.%..m...r.....BPn..N..0....j5.4M.....a..8.Q.%....r...|..="rv....h4z.N.....8.e:..h4z.....9...oYVWU.i...*..i.....M..@CQ.rQ{W.r.....q.S.....A..=`.T....P*..u].z@u].UgV.@.V.U9.q..k.?).u..W...`..^}p.$..v...}.j....i.|8........].%..!a...............E.ek.q~..e..e.:.@D.o5C..m..(Jf.Y.a.l6#....a...MBU.4.....]...^|.....p!e=........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-OnShift-Systray16x16@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):826
                                                                                            Entropy (8bit):7.715748580322733
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:QeTlUweQzsTQGOXosmEytV6LGKvqdsQGV:QSnrGRfVjYV
                                                                                            MD5:76E9F771BC71BF5BBE0E94DA2A30FCB8
                                                                                            SHA1:C0C5CE03B89D2143F8417FD8C9FB048CD5E9956A
                                                                                            SHA-256:2E3D2A248287F8F0BE738F65689919BE11A63B8CEF0D29316C49A0BA3B8CE951
                                                                                            SHA-512:F5B1E2DC13CE591A9244C136534301E1EEEB6844CE8A4057A1DC2F557081E7DD3EC08D4DBC34027AD799BE484EB6959209731FC6D1A6769AD3C2F8B648AAD78C
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....IDATx......O....Rl..BT.m.mg..,.S.m..1...d.j...[U}....}.6...!$.:c...N..].}.ky}NH..6.CU.8...U..%.! @.[.k.'.....K.;.......f..2.p..A.#.. ..9Hp..z.!'.^........J0...Q.... .ej....../g#.7.A..{4...6..@*..KF 4..V..Bi....`..i(..a..j.'...d.......XHH..23...V@QT>...=*.=..a.yj......sl>e....."2.....<.....V...JDU...@T..X.*6.+.z..FW..e.1...%.g|.l.....8.a........,p...W&....>..............._....y.$..w+.3...#"......o.l.A.....Dl..S.BZ.-k..U.$.L".Q.Y.M&S...?..{..k=.......u;.....A....7../.....`.a.H...E.........F_p%..z=s_d..I7.f..}.S..6.x.5..c..H...-....6^..../...........H.....t..r...h.W.(h.8.j..v...-......c.=&......Uq.U.m..k.....Ow<+..s`PM..O1..p.Q.Gq..9A.T.......dPUE.NX.......u\ ...H.!...,D.. ......38.L....!/D|......q.c.u$...8B^..-.....f....ty_.~......IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Presence-OnShift-Taskbar@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 26 x 26, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):675
                                                                                            Entropy (8bit):7.586861262688589
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7XqV4Sf4OhTDLFrwaTtJpJLL8Tk6UMvwzbl05ANGHZm8uSZsFkhw/iG6:zrDJwYdJLASMoHl0iN8k8wFkh3G6
                                                                                            MD5:C3884CC8AE7433A4030812A6411A6C2C
                                                                                            SHA1:85392546E6A214AB6CFE645FD2D3FA1831C3836E
                                                                                            SHA-256:FBA14A73CA6E8F75E821965CC48D84DD23C2227DFC82EE3A2FFDD583091E6E3E
                                                                                            SHA-512:184F82C872787AB32B6836A38E58AD48406B4E68FD2F6BDB737385BEEA3458491F684C1E8C8588809E3AD36F4287C29F8AA703DCF7A0540EA55057A2A63491DF
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR..............JL.....pHYs...%...%.IR$....UIDATH...K.Q..?+[j ..Q..@N*.v.Qr....e..B).....^{*.Zc=x4....U..V.DO!.@.....L...k.M.B.C..i.....YED...%....Aj.........}..\.....[.>`._......./@.i.....m.+...yd....W...7.S.6!.i......IF6.CV.iY.e.1d.$#"".u.l...0...(./W.4...O.2Ww.O........XD.......~..Z__/.."..%..{].|.I<......U5.d....g./....zZ%..H.<[.ZB....P.l../...m{..V.E.zG..N.&f...r.L...{....Q.\..5&S..~.jA.0.`4>R.d.h.DC.1..@.".{W.X.2....b.....0@..[..m.!...B..5....O.-.anz.>.d.XDo...y;;;..Z(A.s..9..Z..Az.hm.n............n26`pqutX...r./........R..+[l..5...u.........`};....K....}...Y,.c%sDC....K.@...M.......1...t......;f..p..?.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Taskbar.ico

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:MS Windows icon resource - 18 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                            Category:dropped
                                                                                            Size (bytes):173040
                                                                                            Entropy (8bit):4.832679284786238
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:AiqHqn9DG8ph3Xo4/b63NenDiUUrSARVorXWdnPYCMXq/kQa1GzFuf7GrE26gSfK:zIq9DG8ph44/b63NerdCJvvyK
                                                                                            MD5:22D1375BD7192D1F401F6D70A8D198E1
                                                                                            SHA1:149EC849122994ABA816B2116ECB0BB8A59CC117
                                                                                            SHA-256:CCB7318B3897FE71E315F0A902612CD8DB0649BFA2BD0FC96FE547BBEACD5DC1
                                                                                            SHA-512:627AE7ED5D2659B94CD04BD8667FB27B4136CDB77881E665D8686BF0A178364E5D25927B736B4829B7709474E8EE0C05A6956AB64F947AF625E95A1B96841616
                                                                                            Malicious:false
                                                                                            Preview:...... ..........&...........(.......@@......(...6...00..........^... ...........*..........h....2........ ..8...8..``.... ......q..PP.... ..g......HH.... ..T...m..@@.... .(B.. ...<<.... .H:..H...00.... ..%...>..((.... .h...8d.. .... ......~........ .....H......... .............. .h.......(... ...@..........................................................................................................................................................................................................|x......DDD...............L....||x||||||||H...............L....||||||..|||H...............L....||||||..|||H...............L....||||||..|||H...............L....||||||..|||H...............L....|||||....||H...............@.......||||||||H...............L....||.||||||||....................|||p.............................||..........................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\Taskbar.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 128 x 128, 8-bit colormap, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):3436
                                                                                            Entropy (8bit):7.712873233142204
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:BVPPsZI483A9NMMEqRhAC5jFaC0a0itucnLrMANQbQ3TSLj5eHiXMdYueh6HS:BV6fWA9NMMJTFa6XncOS/kQMdLeh6HS
                                                                                            MD5:E041F5D2D1C815F7E1571AC1806E6CCB
                                                                                            SHA1:1960B0B26098226FB6EDCF170FC393B1D21FC007
                                                                                            SHA-256:EE81C0517E6847077B697F053BF9774DCEA897176126DDFC45D75BF9EAC07369
                                                                                            SHA-512:25A6D376DE134A007812C29FF1652C3C16621489783133888A2D91C114E25936EF1E69DE1A96C556907CF53926E75C3696ECE639B26F553EB39590BF05A859D1
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.....................PLTEGpL...u~.y..y..{..x..z..qy.w..z..v..y.....y.....S\.NV.OY.OX.PY.NX.u}.KR.OX....NX.PX................@@y.........NW.MW....{..OX.s{.z.....ho.y..y..z.....GL.u|.u}.v}.w~.OW.Za.Zb.Ya.X`.W_.V^.V^.V].U].T\.T\.S[.RZ.RZ.QZ.QY.`h.x..s|.......Zb.PX.PX.s{.[a....MV.QX.OW.[c.w..qw....HQ.NV.qx.x..'*U...;?x-3rNV.ls.PU..........JS.jq.V\....NW.NU.MU.gm.ow.y........4;....el.mu.rz.*-S...5:}LT.ci.sz.UZ........ IHP.LT.`f.mu.]c.;>q...%*^DL.LU.......LS.KS.......z..JR.IQ.]c.z..go.LT.KT.MV.NW.OX.PY.}..KT.LU.NW.HP.HQ.HP.FN.JR.GO.EL.GO.CJ.AH.GN.@H.IR.FN.FN.@G.FM.EM.EL.DL.DK.CK.CJ.BJ.BI.AI.AH.@H.@G.?F.>F.>E.tz.ty.sy.=D.<C.;B.FN.:A.CI.^d.9@.ow.@G.nu.ho...6GM.:@.UZ.ip.X_.BI.=C.MR.HO.BJ.=@s>AvAF~JO.QW.Y_.w..DK.HP.KS.BF.KP...-OT.TZ.ah.OU.W].[a.RZ.<C.[b.ag.?F....el.nu.v}.sz...6ip..D......tRNS..2...b.!Q.RR...5A...1."..Q.......................O........................&..................P$_U..z,."...1......5'x*...Y3}...<)V....g9f..?7................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\TeamsIconSet.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1523784
                                                                                            Entropy (8bit):2.7826692633842054
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:pyBbnweEwdr+e0wdM3XuEQr6SL44smFqC8lsDsIswKOQHURJpk:pyBwBKWwdM3XuEpcFqXsDdsUQJ
                                                                                            MD5:1DD35B4C46E630A897578712B93608E2
                                                                                            SHA1:50FCF12276F2725421E8EA584268C408C30A13ED
                                                                                            SHA-256:04096FA2737F7C8724AB1B39594AF054692511C1F5AA8E70D1EB6F01E16FE24C
                                                                                            SHA-512:7BA014F66103C5B68EF321F5C6778BB80391D76E23D19E74E109E326C8358603A687E0CB925D90E1C9A35AC9702C1D7AC53A494CD513A0421EA3AA6CEBB33BED
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...[-pX.........." ..0.................. ........... .......................@......F!....`...@......@............... ...............................@..`...............HN...........%............................................................... ..H............text........ ...................... ..`.rsrc...`....@......................@..@........................................H.......P ..t.............................................................(....*BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob...........G..........3......................................................o.....6.....*.....^.................V.....".....;.....u.....J.....(.................9.........................A.....H ..............................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.....y...............#.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\TrayIconTemplate.ico

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:MS Windows icon resource - 18 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                            Category:dropped
                                                                                            Size (bytes):172066
                                                                                            Entropy (8bit):4.32521391566617
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:Dg7Z3gHhMIW7F3TGUhxkZ1OgbC6kStqJ1L3mC3g9BQ0MRB3R9HwXOeOkccOOOOJW:07Z32hLWNTJhxiQACPStqzZw9ep3RV
                                                                                            MD5:247D14144A313421D8D84AA0EA54D249
                                                                                            SHA1:83BEFDD6EBA57FAA3D3074AA08A28A4E8D75076A
                                                                                            SHA-256:2D5AA67B8ACE13A94FD09316787E3C9ABA2ADAC767B6E2AB769A2265A2AD20F0
                                                                                            SHA-512:F2D79A2A75148EFAF90A4A92980E781B1F94A4A1034383FFE5749983085EF7EAFA29D4804094296B212795501B4B4A126BC47C24A91B60C24104BC4B24D99565
                                                                                            Malicious:false
                                                                                            Preview:...... ..........&...........(.......@@......(...6...00..........^... ...........*..........h....2........ .$5...8..``.... .....:m..PP.... ..g......HH.... ..T...i..@@.... .(B..R...<<.... .H:..z...00.... ..%...:..((.... .h...j`.. .... ......z........ .....z......... ............... .h.......(... ...@....................................................................................................................................................................................................................................DDD|...||x...||||||H...............L...|||..|||.|||H...............L...|||..|||.|||H...............L...|||..|||.|||H...............L...|||..|||.|||H...............L........|.....|@.............L...||x..|||||||H..................|||.............................||x..........................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\TrayIconTemplate.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1890
                                                                                            Entropy (8bit):6.270315125619703
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:V/6GMYLVknA9WpY4b/OBTMCkKs/cb36yKCHny3b/UHclqvRNXf2U:VSLYJknmWpY+/OB7s/JCHnS/UHclqvRP
                                                                                            MD5:A0B4AB1F2D6240038BAC830C769346E7
                                                                                            SHA1:D5857236C99653114A2873032E90FF1C02C9F546
                                                                                            SHA-256:A0599F541C96698F0D05698C40193392526AD1243AB2054E74C559576572C9F8
                                                                                            SHA-512:ED3DAEF5CD7DDE9EAA22868CF099E6774F79FC2E825A6D19D4996133A65331F40DA16E547E2D4821C458C869E12721A5B3D183DA535E21C7A72BE928C21113D9
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.....................pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2019 (Windows)" xmp:CreateDate="2019-03-20T14:15:58-07:00" xmp:MetadataDate="2019-03-20T14:15:58-07:00" xmp:ModifyDate="2019-03-20T14:15:58-07:00" xmpMM:InstanceID="xmp.iid:bee9ad08-0e7a-5f41-8745-472d2e29b136" xmpMM:DocumentID="adobe:docid:photoshop:0a69f1a8-4143-7246-aca7-bd04f9762f71" xmpMM:OriginalDocumentID="xmp.did:7b82584f-c9d4-0f43-8599-642a69c726a8" dc:format="i

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\TrayIconTemplate@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):2225
                                                                                            Entropy (8bit):6.720330344395111
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:e/6GMYLVknA9WpYPJ11/cb3yHny3OHcYBLX1MmCE3oJlYw/VO:eSLYJknmWpYRH/xHn3HcsLSmT2O
                                                                                            MD5:324E1FB98022ABB4B1BDC0A806BEB21E
                                                                                            SHA1:D8657BDC8E2C7E345B8047E86B7774F5AD60AB28
                                                                                            SHA-256:5F5A2A24BCD135378B8D2FCB67E40E406B31BE5D0D05335734080EAF12D28516
                                                                                            SHA-512:298C9CF2A6B82F4AD53932C425EDC7E806E292613616C30CC2A02CC45CCFAE00C6396793E453A465B90F8A2D383EC472FE3EFAD338232588FCCD2CCE6DC0EBEF
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...(...(........m....pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2019 (Windows)" xmp:CreateDate="2019-03-20T14:14:45-07:00" xmp:MetadataDate="2019-03-20T14:14:45-07:00" xmp:ModifyDate="2019-03-20T14:14:45-07:00" xmpMM:InstanceID="xmp.iid:4dfaec95-01b0-034f-b7fa-d196185f3490" xmpMM:DocumentID="adobe:docid:photoshop:b51daa67-d7b8-c14a-9655-ff0678984c29" xmpMM:OriginalDocumentID="xmp.did:7dafda70-1e08-fc48-8911-77ed2508c1e8" dc:format="i

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\blueberryTaskbar.ico

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:MS Windows icon resource - 18 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                            Category:dropped
                                                                                            Size (bytes):173157
                                                                                            Entropy (8bit):4.255331708042852
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:PwjdoBixRo57MBaKolFvInGKhhsbLopdRyShwhn:P7g1OInxHZdDhwhn
                                                                                            MD5:0F25250F2A0751025A39A6672B8E8092
                                                                                            SHA1:6D76AD0CB3234CED98E1345164ADBCB1CD65E5CD
                                                                                            SHA-256:4ED6A06EB192128E4EB92091B3F513A14784586E2CCD8A1486A3E4CB5A96C303
                                                                                            SHA-512:49B0FC026012185DFB209D3DF8BCEE936A37E6DA639EC4E57C5C35CB4F0D3DAFD68609EBC919D4467CF5DF7E3936A423A464CF53899375AB99B01A0DD8F94499
                                                                                            Malicious:false
                                                                                            Preview:...... ..........&...........(.......@@......(...6...00..........^... ...........*..........h....2........ .g9...8..``.... .....}q..PP.... ..g..%...HH.... ..T...n..@@.... .(B......<<.... .H:......00.... ..%...?..((.... .h....d.. .... ............... ............... .....E......... .h.......(... ...@.....................................................................................................................................................................................................................................DDH........||||||t...|....................||||||t...||....................||..||t...||....................||..||t...||....................||..||t...||....................|....|t...||....................||||||t..................................||................................................................................................................................................?..........................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\dlp_user_profile.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 64 x 64, 8-bit/color RGB, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):3085
                                                                                            Entropy (8bit):7.9066003692237
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:3SZMtyR8uL8KSoCWG4LbDbWv878B4e9XH/8vDrb1:3N48I8T90niKe9Q
                                                                                            MD5:3D1D1E720F5F2BF20E161A15228A67F4
                                                                                            SHA1:8CE85D88067CAE47BBD43C85732FA4926E7924BA
                                                                                            SHA-256:0A05E3FAE6920F125906F01C3E5109A6B667B5899C68FB48BC7F31C9D860CDE4
                                                                                            SHA-512:9840FD1EF4E7DED66918692149CDBE6E834F3C8E5C26C8431AC1919382CD5AFBC59C5220333C9E1A7B575EBC4F39D864EE20F00D81B823E125F3A55FAFC0D899
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...@...@.....%......sRGB.........gAMA......a.....pHYs..........o.d....IDAThC.Zk..U.?s........hK).B..1.`..B...h...MA...&.......-...........`.j..M..m.......}........&.....Lf...........4c.3.Y..\A...cA.`.>b..>.R...`q..gZ.&W...z..L.83@.nh.q.4.f.R.E.e`{.O`~..7I..=d.$@.`..!G......i........T..$.{D..k......i~........i..x..w.......!.....x........M.......m..y.C....r.i.q..o...6........j..$............L..(..J....G!.W..Z.K.-~..z..G!.......y..P.0:T:Lh..&.R..W"0..3...AH.`4..6pt..A.....!..(...p.....@.M.#69...w...x...Z._.0..`...zVl..$..B-.k*..c.5...L...s.YI...uUh...G...../b|:;...=..u.11.\.e..w.4.[.....0...^..?*o.....mR....}.........`E.r#`n.(.].]~.o. d.._v.x..q9..M...,t7.$..h..".N....i.`..$k.H . P.....{...SD.8..*>k#z.]}.....J....}.h....~.......*~....GT.....;.n.N.X.".`x.....G.......e.B.3..I.,bf.MV..u..W......o..*..7.u...d....V.\...`....uW....$....Bc_.....ER.$.(..P.QZ.TI.r.G...}........C....*."."....(...P.4....x....S.G...h.@..]....g.....d......T..w=

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\favicon.ico

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:MS Windows icon resource - 18 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                            Category:dropped
                                                                                            Size (bytes):172066
                                                                                            Entropy (8bit):4.32521391566617
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:Dg7Z3gHhMIW7F3TGUhxkZ1OgbC6kStqJ1L3mC3g9BQ0MRB3R9HwXOeOkccOOOOJW:07Z32hLWNTJhxiQACPStqzZw9ep3RV
                                                                                            MD5:247D14144A313421D8D84AA0EA54D249
                                                                                            SHA1:83BEFDD6EBA57FAA3D3074AA08A28A4E8D75076A
                                                                                            SHA-256:2D5AA67B8ACE13A94FD09316787E3C9ABA2ADAC767B6E2AB769A2265A2AD20F0
                                                                                            SHA-512:F2D79A2A75148EFAF90A4A92980E781B1F94A4A1034383FFE5749983085EF7EAFA29D4804094296B212795501B4B4A126BC47C24A91B60C24104BC4B24D99565
                                                                                            Malicious:false
                                                                                            Preview:...... ..........&...........(.......@@......(...6...00..........^... ...........*..........h....2........ .$5...8..``.... .....:m..PP.... ..g......HH.... ..T...i..@@.... .(B..R...<<.... .H:..z...00.... ..%...:..((.... .h...j`.. .... ......z........ .....z......... ............... .h.......(... ...@....................................................................................................................................................................................................................................DDD|...||x...||||||H...............L...|||..|||.|||H...............L...|||..|||.|||H...............L...|||..|||.|||H...............L...|||..|||.|||H...............L........|.....|@.............L...||x..|||||||H..................|||.............................||x..........................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\favicon.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 96 x 96, 8-bit colormap, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):2840
                                                                                            Entropy (8bit):7.779556867988433
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:mT+HM1zWrwQcb9I+T8+wa2A/qowH+PGbDBPpG4HYbkOJ6D8g40wUneOUn9SR0w:mCDI9Ka6Phg4H03ADt4BbO9R/
                                                                                            MD5:9AFAE340EF2590605D90742BE0F97AD4
                                                                                            SHA1:F3A48650C7ECF4171E885291368FAF39EAFE742B
                                                                                            SHA-256:DF1DE454A6FD238A4491E588742B100BE82EA01FE11CEF8A48CEFF11714EF08C
                                                                                            SHA-512:6597BF732DF8E37C460EE867012C7EA00E1819F48CECB26BD434FD42137037CA7F4E6B2DF00FD6D6E147038F170872C45F638F7B75C15176C2CA75181A49CB11
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...`...`......F......PLTEGpL..............................................................................x........z..OX.z..MW....NX.V[.........+px.GR.y..MW.y..NX.9?.sz...:IM.z..BI..!B>Cw;B.mt.u..qq.x..t{.w..FN.LU.[a.ho.pw.FN.s|.FM.^d.t|.kr.KS.26c\a.+.U37rNU.z..LT.==sYb.7>.Zb.HH.5;.CK.OV.ag.[b.6=.KT.DK.v~.x..37cGN.OW.x..gl.cg.W^.3:.QW.jo.u~.v}.ai.bh.QW...536als.IQ.?E.qx.{..PY....IQ.JR.QY.KS.{..MU.S[.T\.OW.z..W_.NV.LT.PY.HP.GO.DL.DK.EM.PX.CK.x..CJ.u|.ow.RZ.LT.V^._e.ip.X`.AI.T\.GN.GO.>E.?F.PX.U].OX.@G.NW.LU.IQ.FN.BI.Ya.V^.?F.FN.HP.FM.@H.<C.EL.?G.NV.DK.BJ.y..=D.;B.z..>F.qx.RZ....v}.AE|NW.....V].y..u}.:A.LQ.TY.cj.Zb.kr.LS.\b.LU.SZ.NU.QX.w..QZ....ry.IR.w~.DL.s{.MV.dk.EM.]c.@G.<D.EL.lt.@H.hn.LU.MU.ls.mt.9@.Zb.GO.jq.V\.BI.`g.bj.bi.MR.EJ.TZ.fl.s{....Z_.NS.:@.^f.OT.bi.LS.GN.;B.jq.Y_.GM.=C.V......ttRNS...1.........;+....#(.....%.79...r!.5&H"..R...;i.2^..2.ad..........S.W.b.d!.s..x...zu....J...y.{......G^....J_.E...SIDATx..yX.e....cv./`...E@............B!NE.QC..+3.P

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\favicon_white.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 184 x 184, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):4814
                                                                                            Entropy (8bit):7.603612858141585
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:fSLYJknmWpYU2/+HnGHcNHB+Yh7TGiJZy/OeLVy7Pu2p:fSMJkntHG4h+Yh/Dy/r2p
                                                                                            MD5:1628F8141497EDAC17E8C1E93137D05E
                                                                                            SHA1:86FE7130B12D9CE3DBBE55557CCD3D8A08B7872F
                                                                                            SHA-256:A646012E5F49DEA2318A63403896D02CBC9CC7AB73EE5D1720CDE7A02D898330
                                                                                            SHA-512:8EAAE30F962C31DB8B4B1F2802E0122599EE0717A1E2DF916D18966310E29BFA931E21C7545AC8BBF409F0E1DDFCC2C327A3F90BCB3CE397DC7B07598B0BF8BF
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............P3&.....pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmp:CreatorTool="Adobe Photoshop CC 2019 (Windows)" xmp:CreateDate="2019-03-20T14:12:02-07:00" xmp:MetadataDate="2019-03-20T14:12:02-07:00" xmp:ModifyDate="2019-03-20T14:12:02-07:00" xmpMM:InstanceID="xmp.iid:73f2d991-0721-c242-a7af-0a406e14a648" xmpMM:DocumentID="adobe:docid:photoshop:15a842cc-4eb3-024b-a858-8eaad499708d" xmpMM:OriginalDocumentID="xmp.did:0eba7b09-5abf-cb43-a4a4-e79d2d4ca21c" dc:format="i

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\macos\touchbar\BreakoutRoom@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):559
                                                                                            Entropy (8bit):7.2779882687327815
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7H7/BAhjCV0/EbjENsF01++HffYUbT6EKUi/V++PNu/DVy4mmwoUS7:cuL/v4Af7Heu/xy46b6
                                                                                            MD5:AEBDEDE341B41B23DFB30057BAE2EE7C
                                                                                            SHA1:0E35B6B8FD0A093292FA250BDA58D1BB942D130A
                                                                                            SHA-256:4710260973DA8F2594BD466CBDE7EAFB81B70EF36209A2687303EA2A3D7599EA
                                                                                            SHA-512:166B8F64BEB18376C58974D68D643763A79E159F396F49B4EBECA1D69C7408315F5D7CFF91C7AEF02A17D5D51B1CA9202420437750E9EB6C11181E571570FE87
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...H...H.....U.G....pHYs...%...%.IR$.....sRGB.........gAMA......a.....IDATx....Q.@....+..(.+P+..L.v$V....@.G........qv..p..of'.A.7.@..............Z.........A.8..Lu.5C].Z.M......g.5E..p...(..p.V...2. ....p:3.3); .. <....o...C7...[..&...HpA4..k..bW......................z..^.'..t..._...TI...t..~.P87..Mk.w.n\...Bi..r..M...J..ZK..d..}+A..J.]8Ib%9..A.....a.[...'d...z.&.D!5.\...7....zh..........[......H...........................:./..n..z..{.b8..>..........+'s. q..S)p..R.<=.g..c.!.!-%nU.h..u.."...........7A.r.......IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\macos\touchbar\LowerHand@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):686
                                                                                            Entropy (8bit):7.468895596477723
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7H7/kWM8k9Nhsc6M8SP0fJ/Q83v7wE0bQ+sNuxWfAlSBz1AusrPkPtzJl7:LW/a7sc6aP0/RkE0bRblSBxfsTkPtzr7
                                                                                            MD5:E4DA862AC96AACD347694CBEA94692D4
                                                                                            SHA1:A09A03311D9F0C50A2D789C8C28184C030EB1589
                                                                                            SHA-256:3E99E4A3BE49F91175367B28B9F715FB0B26775CC6A4D62EFFD0872521CCDDDD
                                                                                            SHA-512:0732B14F428CEDD43B0647A83B2D8DE2EFF36C52FB84D1601A7C868F6A38BF53BDFE98F1FC2D1370EF7FDE34B6214F33CA0E57893B7541740879F0B9258069FC
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...H...H.....U.G....pHYs...%...%.IR$.....sRGB.........gAMA......a....CIDATx...Q.0...wN.....\.......AG......n..U|@.4.....q..........c.1..cL..0ZL......./G...1e...$...w%".1A.....F.@.8..DBd.....jK#.DX..zK".2P..i....Hh......E.?.#.u..(......b..S..X<.'Rl..u.`...=.K]...8u..u.Dq).v..{..E..S.u........{3.b.~.).:..MFJ.S...F#.....@.H.c.sE..H....6.]....M....6..?t.'..f....T#..b..)@.%D...s... ....#1._U,...y..{0...u......i..j.2X.#5.....Q....".._.F(...".Q.G|..X...),OT;l..>C.#i...o...;...T"..m.x$...J.z.m|.~v[.....*{...R._.(...=Y+./.m...|A9...9h..v...`.2Bc.3.;.......,..H..i.|..)..y,.+."..s...[u.c......6..D5."...kb....<P..H..1..c.1.T.......QOH....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\macos\touchbar\Messages@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):778
                                                                                            Entropy (8bit):7.596632816627522
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:zyJefEDECmwMoGZRZYqIJfd52l4dCR7e/fHxmRTcsTRmk4VCc:8ezeMoRndwl4MRgfHxmVfmP
                                                                                            MD5:6CDA093165FDC85BFE957F93506F393D
                                                                                            SHA1:0FD7305821C473353356D50AC10EE9C7123037C7
                                                                                            SHA-256:94D573B26E154D166FC1CE3D629720243767E30EB97F3BDA165FE33A2D41EF70
                                                                                            SHA-512:BB967D12E711DBB004107F89803E3191B4570C31A90F2F84EC0FE0A7E9425EDC1E614FDE34448429A2237A5A8FFAD7F0A56124F3C4489499E5D295076C44E6CE
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...H...H.....U.G....pHYs...%...%.IR$.....sRGB.........gAMA......a.....IDATx....Q.@...W..@:...T.. ....J......A......t.@....i&.....|2.....1.z.t_.B.!..B.!..48....[......E.Q...l.M.$.+K...Zxk..8'91K.W)......Mt.f...9V..U...<...O/.....z..YNN/..K.$.{...[cxl.R.)5$(. .....O...N..78}@.K..c..{.@.g!....nbz.=..%./...jb....M.i5....gd.s.V.]A3...=a....i.t....d.....OL3c+...e.a......0{>.......V..X.r|F......mf....^.@l....jA...b..r'..R....&..2..)A..6A/..=P.? .%..&(................!.<).s...}.....r..tP..g....!..<...G..%...lM..=qj.6.+(7.......T.z.M(y....M.J.Y.....Zi.........-...Q.y*...P.d..$.C}....2./f..oM..l.u....n.#.4...5.4...g....n..X'i....l'.Z.1.............;.n!.."..g..Nz..".B.*y..............z.a.o.OUVK.!..B.!.0..1..K........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\macos\touchbar\MicMuted@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):756
                                                                                            Entropy (8bit):7.503143515526269
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7H7/pctIncoXNRfcrZPXP5ODgm5vZ1D2YHrgN/fAi4wZ7uf5L6U2It7xw3z:HtKX0rZPXR855ZB2C8fAjsqx647C3z
                                                                                            MD5:2109838A7A5CA063418738EECEBE5F4E
                                                                                            SHA1:41220D5F861E4AF612C209AD9E52A306197E23F4
                                                                                            SHA-256:08458ED9715C6EB56EB29A3AF8E51CC64CE06354E0297055D17E1BA2C797671A
                                                                                            SHA-512:9051F000D40BC0B79D2BEB07996857AA8E63ED4603906D13369A9EC4781ECEC7B61CC2A3117EDB958B87BF903B65A68C131D5B1AC10B69F66A6DF9CD210140D7
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...H...H.....U.G....pHYs...%...%.IR$.....sRGB.........gAMA......a.....IDATx....0.E....T.wp. ..].q.(...O*!.$.p.P.4..X#@ rho..s>i..gy..L.(..(..(......-..`.9..f..w~we...ch!.......],.}..ZI...=....(..H.fN.._RA..T...&..r"V....z..1..Lk.Qn..v.^KM92G..%..(W.$!~y.%..?$Q.l-.$..$..V.H.[H"i..D.I)..20V..gI"...kX.$.......DR.8...%.T0.a.(g0r...0..I1}.....z.b......J..sw$.......@?_|fu5.1......b.J.'J......E.......O......?..'V...Q".B}...O.@^.)_..WX..h.S.B{...~.:....6.=...H9`......,Z.yaJ.r..,..bjLSu...@.......ohoI.....X..IhsQ...z...........I.......].r.m...*DlcA...bm4.$....;.;.G.......j|...+.YJ..^...h:1E..R.$..U...%.aB..~..+d..|..KZ.....4.n.B~.?.+*.J.%.Z.8A...D.r..$V.cH....W.5..&.[....(..(..(....[;.tV.......IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\macos\touchbar\MicOn@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):666
                                                                                            Entropy (8bit):7.3770559558779105
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7H7/wk5tXZE/akFxGZlOhXmwXVJaakU4w13O6SFI:c5k/akFxOOPXVYakUL2I
                                                                                            MD5:85F267F27400D12AADCAD952DB88BE4A
                                                                                            SHA1:EA523C0D374BEE0265C29E6ED9FDFA0BA53F2838
                                                                                            SHA-256:0CA7BA0B47E8C1BFCFC72229365CF58560FC2DDBE0E028E794D0DFBA9B902E31
                                                                                            SHA-512:6C7930F188C70FE0FD4EDE0FB4CFF1578E53C3817DC22D11F0D97E15252D4C1D563C94B038A9D1DCA9A61CE2081832B42E1ABA5E4271682361C9CB0BDCCD3A2A
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...H...H.....U.G....pHYs...%...%.IR$.....sRGB.........gAMA......a..../IDATx...Q.0......u...n......l........l.6.../6.ily@....w.;hKK.^c.F"........f.eZ.d.`...P...2-Yg.4$r.c.v|:...U.9..!.t...kI.L..+).{J.{..R....-).;J......DRWPv....)....)....)....)....)....)..$7.3.5.D..g.n..K#....>..).@@.>........m....F.1j.w,}...^?..V..&x?n.w.}....s.....?...:I..{..=.oc.....'}$t..&p..r.,....!...@.....MU.e...qA..J|..u..._.E..'.z...U.:|E.p5X.oK.........."..t.G....v)W.....'.nn.Z....Y./.oW.3.Q.....2...d..|..F..v....L...........%\u,.<;.LA.%...sU`.A.?.-)d.W..+.Ruo...[....gE..z.3.+..3..R ..R .\..j....'.......Z...!...J.<....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\macos\touchbar\Participants@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):662
                                                                                            Entropy (8bit):7.500528984748096
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7H7/OmiQN/wtuHthIwUqDVL/NnQj+bl0Zf0MiB6wN4zpPl7:nmtN/QqD9/NQm0BpN
                                                                                            MD5:EE3BE319807DEB3E8597DE68C11DB6D6
                                                                                            SHA1:E16AE92714A89510F10B2C7D30BED353E1ECEB30
                                                                                            SHA-256:336C83D6F4E41954AF898890B27C4777CC99D6AA2F40AFC26EBB23DAC1492CB0
                                                                                            SHA-512:3BF02AC3C8D9BF357FC465BF3F9D6AE13AD2BC84C9E8DEC623FB8B41634163530B39F1BEF6B95F37D84BE921EBCC0D112C4FBE7D5AAE7D4C8B118590F14E159D
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...H...H.....U.G....pHYs...%...%.IR$.....sRGB.........gAMA......a....+IDATx...q. ...O...@#d.z.f.f.f.w.{...............B.8gGB@...w....................ED.Z.-........ZZ..cqK..wZ....{.[.FNHp. .x...Y..}...or.YV..hC.%..L.....4.=.t.n.j^...p...L..y..>..+.J...k$...|@..L..H$G.z.{....P.Dr..xO(D..}G.......8y...: n..Z.O......gI....s.4_.t.p.*v.=.W\..#...v.]M.m5.^E_...,v..;...z...l...3...f..{.:..u.9.-J....6.Z......"i#.}.=..u..Q.T>....).$......=.7.5$.....`.F...E.R..G~.:*...".t@~...M...)E.R....kH.g.3...@..^.i.5B..J"6o../..L.+w.f...U..m%.........(.\..o.3..........as..].....v..q.....3C..../}..ADDDDDDDD....v..Sb.K....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\macos\touchbar\RaiseHand@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):587
                                                                                            Entropy (8bit):7.3772009500673255
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7H7/iNNnKk2AKeFxZ9leldNzFq0yrqIYS5y9z7rUL6TBj:tEkzK4sz0LrqIJ54TBj
                                                                                            MD5:490B3EB3FAB0FF9D76676434D8AF5EE6
                                                                                            SHA1:D1AF9DD68F07AB9025F2D777E14A36CDF8C4CE28
                                                                                            SHA-256:5C7BBA88922528D6E702A6FD5AD029B79D9A164D8FD534BE40012A1BB4B1D379
                                                                                            SHA-512:8750FF2D51F26A534644EA1DBA106E7D870603A6E7C4AEFB36250F54FF04420A60A45EC9C0A44951AF5A1C1A372D77A163C7C506E6D472CE053DA76C315C561D
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...H...H.....U.G....pHYs...%...%.IR$.....sRGB.........gAMA......a.....IDATx....Q.0...O..p.F...@.@..:.:...........A|...G.k.BH..]...8>.. """""..2.....nA.\0.v...2aS..}!..K$4..&S~}ed..}..................g<...Q.E..4.b...c@....y0 .....<.....`@.'.HV.U.q...b.Y.N...O..x-&.=.......^.VNk....{...].O.k.^>L.6...s.....Nm/.v...0.....6..Pj@..<Hi-Cg.+.g#...._R@...`>.QI%V......Az...+.h..4...H{.....H..Tj_..Te. .#+..I...h............j.,z...@..V.JK.:(..H...DTvI.2..K. Qi....L|.7di.5b.Y#=...0.=.E..=.L{.<..%..67.{..A..C.%Z.NY.......6my.ADDDDDD....b.........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\macos\touchbar\Share@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):509
                                                                                            Entropy (8bit):7.102409722459139
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7H7/4Qno03sZLLpUBJY6c1u+3Qc0FnKGV2wN:yX+pIY6c1u+rWK8J
                                                                                            MD5:4656A1616DF31B5AE00D40B1497D1A5A
                                                                                            SHA1:9CD31B103341E34D432177DF85B3AA0239EF3800
                                                                                            SHA-256:D0928DFE0B6BF394C5C309A3B420F70D80CB0D3C631580269EB28398140BF012
                                                                                            SHA-512:544874EE66097B6568B287ADB4D281C3B71AA892E083F662D46346026251744FC9F6B4FF7FBE5D3BC8BBD3E9BB17B76744800331B2E5A4E003E052EC65CD4FF2
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...H...H.....U.G....pHYs...%...%.IR$.....sRGB.........gAMA......a.....IDATx...M.@......0.n..N.N.N.#8.N.N.#..7.NP...,..E.kx~.j.H.\?,H.......p.F..........-.x...4....8.6...W.W.Hg.3glq...o.3..T.a.O..t.. 'P...@.}.9.N...j..l.m..p_..........x....x+1Qa5...8.-.....T:P.N.^-.J.....WC.R..v..yg:.\:R.@A?..e....~...(..D..8.......ud%.}._..v#...J...l...xS.8`.e.....J....9.....K P.....@...%.(.@..J.).d.rQ.<......J..a....%..... ..@k..ZN|.*.=..?.?a..8....{u..........O.Py/u.ks....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\macos\touchbar\ShareCloseTray@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):497
                                                                                            Entropy (8bit):7.185833824483844
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7H7/8E1rdObMO/sL/1+MiDGksH63DEfdKdvICJDIuGotZcH:eObMvL/EVShaIVKJICJ/e
                                                                                            MD5:DDCB9C8CA834CE27C21391CD30E7BD5E
                                                                                            SHA1:067637B353C2C0F2F5AB314F800E438C2A859D5C
                                                                                            SHA-256:556FC2CE9D14BECD1976BE6E38B474569C6DE945B24E01A1589C2469626E9976
                                                                                            SHA-512:B4BB46AD5B7FEEC9426BDFB307E6BB15255CFEBAC4DF6FA4B76955FB12B80C1D842298A03EF160579516EEECF8B4D2F5F8F90167535DB52101BF4B997755F279
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...H...H.....U.G....pHYs...%...%.IR$.....sRGB.........gAMA......a.....IDATx....m.0...N.....B&..$.p#t.t........j..C...]...HV.D..+#............-U...>..S.u./.6..4>.....9P..+.7..w..k.'.u+goq:.o>.d.]....6..W..%..;....s...P.(..2.(..2..H.#..os......4Q.o2P"X.i..+!....#...DS?.....V...../..H..=QG...df..8.D.......VN./......g.j............M.4.q...H..>.......M.[.g p..h.....H....4.a...l3.F....+.....@....@.%.Z.W...@g...F|.*........k.}-...P.............r.%.U-..1.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\macos\touchbar\SpeakerOff@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):528
                                                                                            Entropy (8bit):7.303967565028983
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7H7/fSqKtkFtDCUQNt/69N7TcnFnsD73YPSD8Axoz/7:ntkFtQNt0cFnsDzkSDlM/7
                                                                                            MD5:70410A23852032FFFE1BE6AF94915650
                                                                                            SHA1:52AA1057BBFD9895C7F614DB94108C318174121D
                                                                                            SHA-256:AEEBAB5512387BB379368E7D274C460C55F8EE2863C97030A15343E7270A940F
                                                                                            SHA-512:F97340BB0EBB500A7F08279E61454C71A5AB65DD0AE202322A9FC0B3F1A3C84E1427C1AF54C15A15C634DECDEABA6D8BFFE4CFB7411A6B2AB24DC5276169D6D0
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...H...H.....U.G....pHYs...%...%.IR$.....sRGB.........gAMA......a.....IDATx...m.0...S..:BG...(.. . . . #d...t..OA".a.....$+Jx.............,......c..R..)..u......}@v./.~.\..'...8.r3&.....u.....N.....?9..z.....}.[+>. .{..-]A...'u@.....*..7{7.....YG....V..."8`h0.....U..... .&.S...C.8....<..Bb;.#bb..zN.M.S.....B.%....J}u.....@.....!6&.uC..w...``87...u<(..r.....j.<..|.Y..g..:j.W...1....v`D..!a...W...Eo...X..?r"...8..iJH......&/.Q._........FM........~.R..EDDDDDDD...[....Yj.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\macos\touchbar\StopShare@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):497
                                                                                            Entropy (8bit):7.185833824483844
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7H7/8E1rdObMO/sL/1+MiDGksH63DEfdKdvICJDIuGotZcH:eObMvL/EVShaIVKJICJ/e
                                                                                            MD5:DDCB9C8CA834CE27C21391CD30E7BD5E
                                                                                            SHA1:067637B353C2C0F2F5AB314F800E438C2A859D5C
                                                                                            SHA-256:556FC2CE9D14BECD1976BE6E38B474569C6DE945B24E01A1589C2469626E9976
                                                                                            SHA-512:B4BB46AD5B7FEEC9426BDFB307E6BB15255CFEBAC4DF6FA4B76955FB12B80C1D842298A03EF160579516EEECF8B4D2F5F8F90167535DB52101BF4B997755F279
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...H...H.....U.G....pHYs...%...%.IR$.....sRGB.........gAMA......a.....IDATx....m.0...N.....B&..$.p#t.t........j..C...]...HV.D..+#............-U...>..S.u./.6..4>.....9P..+.7..w..k.'.u+goq:.o>.d.]....6..W..%..;....s...P.(..2.(..2..H.#..os......4Q.o2P"X.i..+!....#...DS?.....V...../..H..=QG...df..8.D.......VN./......g.j............M.4.q...H..>.......M.[.g p..h.....H....4.a...l3.F....+.....@....@.%.Z.W...@g...F|.*........k.}-...P.............r.%.U-..1.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\macos\touchbar\Video off@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):584
                                                                                            Entropy (8bit):7.302778588994893
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7H7/s+xhi1bfZBbh8vAXfe/yuf0f8PwS5B6YFH4EpeGE:qMdhqAQI8J5JVeGE
                                                                                            MD5:99A70351A78CD3C1874176CE84F3ABB0
                                                                                            SHA1:D6F88EB842B5C9612F23DCFA9853A552F9981ED3
                                                                                            SHA-256:E9661B52AD885E44D6B19BCE8A51C28941FAA0D370EA314F02A8E44F2EA7FB52
                                                                                            SHA-512:8580E0D531540784807C9D7C0BBB5B9934334497F07DF6B9DB79B9E7EDA422397260F389B2173F691EFE7EC2B70CE3F631212D1243D198E239180C85AF0D1792
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...H...H.....U.G....pHYs...%...%.IR$.....sRGB.........gAMA......a.....IDATx...M.0...+..A......6..t.V`.F...>..R..v..Y..)...=^.Q.........=.a9a.1....b..H+.)."e@.... .8..(c.....^.....8...7...5..:jIF..$._...\.%.`.....b./...c..;sF..q7...>'.Tm......,.6..U.ie6^...@...."-..+.6.Hq.fv$.......*"Q]..\ .T....&.)..H.f...B....v..O....?r.C .6..@.e$O...H..)W.<.Rn"y..."...HME2.=......-.Rs..'..HME....R e...@.4R...Y.V.).H-.....^.J.m.[..3....8....;.57.o.8.#$.1-Gz'.R~.....,!y.i..7..d)>a'...YBr...b..[.%..H{9.I../.@..%..H. R.D.H..)."eH#...".........M..!..=T(<.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\macos\touchbar\Video@2x.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 72 x 72, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):417
                                                                                            Entropy (8bit):6.950003366236431
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7H7/bQMU3LVIgleLbg6lMtBUTl5Sk5yQ4N:cQMUegleLbd+aGQq
                                                                                            MD5:D3CADBAC203124C96D5A0747A523B5ED
                                                                                            SHA1:ADDC077B5821E5E0F884AA3B4D7759557B03B8F1
                                                                                            SHA-256:FF9E1ED90629CD56047600DCD40C0B2461E944AFDB512757FCC269F28D844091
                                                                                            SHA-512:661E8D42116A0215569172E6C121C20CD5614DD9E9CEE5166F777F9C11F1629A866232ECA58BE2AEB8F6395811EF23EB4800C1C633AF9E7F6DF10568097AA305
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...H...H.....U.G....pHYs...%...%.IR$.....sRGB.........gAMA......a....6IDATx....m.0....t.0J7h7.. ]..d....:...j..-......?.o!.~a..........`.T.O...7^......_Z.I"..'V$..U+..9?t..i.R.N.B+.3.w....9.....7<..(.^d.Wig..:m.......$.8...y.........'......vsH{!..@....d ..@....d ..@...Y.@]..s..[.;...k.A...N.>.!RI.?ig....J.]......H?R..}.|X1.Q...y.KM.'./...5#.s..?...T..........`......ho.S,....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\msix\teams-app-icon-150.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):8164
                                                                                            Entropy (8bit):7.968078686178688
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:5ShGf+PGgNKNGKt7oRZLb+Q5BfoKC8+cH/agXzquvsc1zoqFaq6:gcWDQjwZLbNjbBzqlc1zoqwD
                                                                                            MD5:101433263BB08BD1C23DAC5681879E89
                                                                                            SHA1:B483FAEAEA9F38CED611FED0FC45DBCEBAD21822
                                                                                            SHA-256:31C6AFEA4EFD925309BC2B903BCF3DF04F49FAB49E3A129D90A1D5B87EB1EFBC
                                                                                            SHA-512:4B12F43A79BA4C6AB6DA5BC43532C407D2A82ACE4D2B2F0CF7A97E994CC99C8BAB35CFB2E87E2C88EEB5BE2AB9FD23B9E4CDFCC84D315DE3EA71006DFF3D838D
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............<.q.....pHYs.................sRGB.........gAMA......a....yIDATx..]].$Wu>..gv...l.]lP.1.A!H^G"....(.D.......(Q. axA....N...Dy.Z....2(..C....J...@.. .....?.3.uro.{.9.v.L..u.t}.lwW.U]...|..[..5j.Q.F..5j.Q.F..5j.1.@..)Z....`u..h.S..{..;x]Y.k.....N,A...X=..Z.........6]r...T...V..2L0jb)|...|..O.`d.;.K.`g...0....A......x.v..:..._.u.&..O..R..s.W .4U6..$.*`...W.|..".%.<.N.5./>q..)..L.byR!.-._,SA..y..%8..Hb..T.. ..../...B..?.p..4O.d.5Q............\....D.k....6..c...<......cZ."....w...?.Y.&L.bF}.0{.W}R..{....g..G.,N...K...Zl...W..K.:...x...|"....Gk%.....sgN..].../..6..D.}o.x.......l..1..z.....W.e?s.k.v..Ps.P..D.......gw.`.b..c0...`.P.T.y...(....+.n...X.0.2.#.,.C,|........,...|}.%.'.zY...c....m..R*.\....u..U..<...`m.....L.z.6.H.'VQ....`....|.*U1.{.:..Z.lq..E&os..B`.?.]..W9.>1........u....=.&."..b.ss...&....c.,...n0..s....<..p<.x.....N....|?..~(D.....;......`8.....p....f`;@D..h@.y......^....<u....m...9..u....D......e.......

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\msix\teams-app-icon-150.targetsize-150_altform-unplated.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):8164
                                                                                            Entropy (8bit):7.968078686178688
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:5ShGf+PGgNKNGKt7oRZLb+Q5BfoKC8+cH/agXzquvsc1zoqFaq6:gcWDQjwZLbNjbBzqlc1zoqwD
                                                                                            MD5:101433263BB08BD1C23DAC5681879E89
                                                                                            SHA1:B483FAEAEA9F38CED611FED0FC45DBCEBAD21822
                                                                                            SHA-256:31C6AFEA4EFD925309BC2B903BCF3DF04F49FAB49E3A129D90A1D5B87EB1EFBC
                                                                                            SHA-512:4B12F43A79BA4C6AB6DA5BC43532C407D2A82ACE4D2B2F0CF7A97E994CC99C8BAB35CFB2E87E2C88EEB5BE2AB9FD23B9E4CDFCC84D315DE3EA71006DFF3D838D
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............<.q.....pHYs.................sRGB.........gAMA......a....yIDATx..]].$Wu>..gv...l.]lP.1.A!H^G"....(.D.......(Q. axA....N...Dy.Z....2(..C....J...@.. .....?.3.uro.{.9.v.L..u.t}.lwW.U]...|..[..5j.Q.F..5j.Q.F..5j.1.@..)Z....`u..h.S..{..;x]Y.k.....N,A...X=..Z.........6]r...T...V..2L0jb)|...|..O.`d.;.K.`g...0....A......x.v..:..._.u.&..O..R..s.W .4U6..$.*`...W.|..".%.<.N.5./>q..)..L.byR!.-._,SA..y..%8..Hb..T.. ..../...B..?.p..4O.d.5Q............\....D.k....6..c...<......cZ."....w...?.Y.&L.bF}.0{.W}R..{....g..G.,N...K...Zl...W..K.:...x...|"....Gk%.....sgN..].../..6..D.}o.x.......l..1..z.....W.e?s.k.v..Ps.P..D.......gw.`.b..c0...`.P.T.y...(....+.n...X.0.2.#.,.C,|........,...|}.%.'.zY...c....m..R*.\....u..U..<...`m.....L.z.6.H.'VQ....`....|.*U1.{.:..Z.lq..E&os..B`.?.]..W9.>1........u....=.&."..b.ss...&....c.,...n0..s....<..p<.x.....N....|?..~(D.....;......`8.....p....f`;@D..h@.y......^....<u....m...9..u....D......e.......

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\msix\teams-app-icon-44.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 44 x 44, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1550
                                                                                            Entropy (8bit):7.825300175596613
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:o/6WkpNnbEqZLr0AS9oSrr1dK3Uc+pX7FGdif9:oSWKpSHrTK35uLcC
                                                                                            MD5:B63112F40B2C27CBCAC61F4DFFCEB7AD
                                                                                            SHA1:08D1EB190BA51520B20C80E1CF5889F1D3AE715E
                                                                                            SHA-256:7E0EBE079C5B959443BA5F80A601641BAD071C7F0A9848BBA2F4732943C3CF1A
                                                                                            SHA-512:4964544FA673E47F529C4E00174F9E15ECAA434A103C94A0AC0E5B1F70513151311742662DDAC72F3B99EA1E221D13F884B54867CE8C11AF64293D1592D0FB60
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...,...,.......Z.....pHYs.................sRGB.........gAMA......a.....IDATx..YMh$E.~...L6.L~vPv.,.x4A1...E......I..a%Y<....B..a....$7Y=...[.(......d.e.du'H~....W]?]=...^.cf...U.W................P....pv\w ..BG.........*if....x..D...].g...."SK.....:Bx.Jn....-......h..t.Hv.a[J...b...{7R......F.g~...6!.v..:..3.".1..N....0H..e.H&3?......Eh..D..].'=...d9F...~....1..`....-.z.$t...>>.7..*o.....eu..+..0.F....`.:.....P.2..cA....#.\.Ru....p.V.........C..p....R%.M ih.. ..,.0.(..IL.._IN...".K6...~..>.+k....x<...W.0rJ....$..,z ......8..C...+.k...Gf}....Bu`....a.;.K).EDy\t"..e......j%.c.//.'..,.s..FE...d..;...,P"=!.F..h........\........^.9.....\....2L.b.._.0T......F&3^V....u&=.(..|wu...q.....|t...1;..O.G"...Z.(/79..X.KL..2.+....oB.SC5k...v....Q.....<.yx8R...v|x?..S+A.t.|.....K.@...:.t.4.Z..cM......3.A...aEx..sN..L7.a.<... *@..$...B..N.f......>3:.'.T..?......n...F....d/.....4.&e...*....S.....B.l..N..z..G)s.2hbB...TB>*8R....zJ._.ar.QzMY...%a#..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\msix\teams-app-icon-44.targetsize-44_altform-unplated.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 44 x 44, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1550
                                                                                            Entropy (8bit):7.825300175596613
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:o/6WkpNnbEqZLr0AS9oSrr1dK3Uc+pX7FGdif9:oSWKpSHrTK35uLcC
                                                                                            MD5:B63112F40B2C27CBCAC61F4DFFCEB7AD
                                                                                            SHA1:08D1EB190BA51520B20C80E1CF5889F1D3AE715E
                                                                                            SHA-256:7E0EBE079C5B959443BA5F80A601641BAD071C7F0A9848BBA2F4732943C3CF1A
                                                                                            SHA-512:4964544FA673E47F529C4E00174F9E15ECAA434A103C94A0AC0E5B1F70513151311742662DDAC72F3B99EA1E221D13F884B54867CE8C11AF64293D1592D0FB60
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...,...,.......Z.....pHYs.................sRGB.........gAMA......a.....IDATx..YMh$E.~...L6.L~vPv.,.x4A1...E......I..a%Y<....B..a....$7Y=...[.(......d.e.du'H~....W]?]=...^.cf...U.W................P....pv\w ..BG.........*if....x..D...].g...."SK.....:Bx.Jn....-......h..t.Hv.a[J...b...{7R......F.g~...6!.v..:..3.".1..N....0H..e.H&3?......Eh..D..].'=...d9F...~....1..`....-.z.$t...>>.7..*o.....eu..+..0.F....`.:.....P.2..cA....#.\.Ru....p.V.........C..p....R%.M ih.. ..,.0.(..IL.._IN...".K6...~..>.+k....x<...W.0rJ....$..,z ......8..C...+.k...Gf}....Bu`....a.;.K).EDy\t"..e......j%.c.//.'..,.s..FE...d..;...,P"=!.F..h........\........^.9.....\....2L.b.._.0T......F&3^V....u&=.(..|wu...q.....|t...1;..O.G"...Z.(/79..X.KL..2.+....oB.SC5k...v....Q.....<.yx8R...v|x?..S+A.t.|.....K.@...:.t.4.Z..cM......3.A...aEx..sN..L7.a.<... *@..$...B..N.f......>3:.'.T..?......n...F....d/.....4.&e...*....S.....B.l..N..z..G)s.2hbB...TB>*8R....zJ._.ar.QzMY...%a#..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\send.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):2920
                                                                                            Entropy (8bit):7.5549021331572055
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:utYfgqd2a4olSrFU3ACB4x8YA7WCjQMXJVVEJe966666666666660KI79iTrdyoP:Uqd2atFACdYAeMXHVb79Udyo3/
                                                                                            MD5:808D381B805B691990250094BFC10AAB
                                                                                            SHA1:BBE4218ED09027DB8DFE9B200FCBD48AA11BBE40
                                                                                            SHA-256:322E21B7386D3D6AFBC95348420FF697607CFF500CC80B4FABE0061CA8AB153F
                                                                                            SHA-512:9573A309C58A2380A2E180B2E569530FD1D1B6A4A1340029420CD0CE9F5380A6BFF7755FF7AE4E41D1DFF37CBD02470ABE8280FC7D6C4CFE1171B0EE33ABEED4
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............\r.f....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..O.ee..p...\.....@..E.&.h.%.(.%$..e.P..BQ...D..IBABF.02..ta 8.@...4.,\...,.w.>.>Z:..{.{.?..<..w.w...}.9..{.u.......................@ov.7.....Y`C...:....b.Y`C;Qg{..S.A...&..a...&..a...&..a...&..a...&..a...&..a...&..a...&..a...&..a...&..a...&..a...&..a...&...../...,..`?.&...,....vvv..%..I../!.\.....e...M.,..`#B`Y......!.8.!........'....7....|..:!..I...!0?..N..y..tN.....B`.......'....6.@..t...!..I.0.!0=..A..i...N.L..`.B`..........J..K.0:!0...$..q..&C..O.0)B`X........\&.w:....=..tXB`.;u.....,....|&o.....)...F).+.c<..J..muQS....hH^.......2.J._(?...C@.p`y....?..j.:S..Q.! ..H....qS..l.'.._W.! ..W........l.O]Z.P.........g.._...R.........O{6E_...J....sX>..Yf.....RZ....R..<.1.LZ...Xz....)..,9..@C.T...K.?..7.......ST..+..O.9.?.%...X.<=.....V.r>>[ZZ......8....ieW.S..S.0..Y.c.`.yJ.I<.....s.H......P....={....z.n.....X.C.....,..GS..f.N...K....!.......yw.ku..Yz.g....Y.g9..s..{K/.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\tlb\Uc.tlb

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):455716
                                                                                            Entropy (8bit):5.169510702747751
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:Rs3/0+NAoXAY6nuKGiUpXWFgXFQIY0EH7+0BJmmDAvQNRplh/y6woW0nFTF958lQ:A8CX0Qky6cp+7B
                                                                                            MD5:E3C8B42670EBB0530EE81F427671AAA1
                                                                                            SHA1:F8C75ABC800C7326E6E814947390C14575D691CB
                                                                                            SHA-256:1B31630CD15BFDC663B9630790B968AEE407730DC94F48BB96FBEDAC9ECB1002
                                                                                            SHA-512:4CCA913DD1890DBFA72195EFF3CB5856AC6C01A4A910DF719376EA13264E129823D3788EB874C222534AEE1E1CF7B3ACE71900002252449A872BB3C9447F3B98
                                                                                            Malicious:false
                                                                                            Preview:MSFT................C...........................y................... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB...B..0C...C...C..\D...D..$E...E...E..PF...F...G..|G...G..DH...H...I..pI...I..8J...J...K..dK...K..,L...L...L..XM...M.. N...N...N..LO...O...P..xP...P..@Q...Q...R..lR...R..4S...S...S..`T...T..(U...U...U..TV...V...W...W...W..HX...X...Y..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\tlb\Uc.win32.tlb

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):455696
                                                                                            Entropy (8bit):5.167372000083355
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:vtn/0+NqoXAY6nuKGiUpXWFgXFQIY0EH7+0BJmmDAvQNRplh/y6woW0nFTF9589k:98wX0Qky6wN/iZ
                                                                                            MD5:2EB6C328ACE10BEE32EECB6609578AAB
                                                                                            SHA1:3FDE2F845CF62FF557FD49E46FA6F761CFF4C7EA
                                                                                            SHA-256:40F438A5F0D0E9FF5BBCAB29D51BC7B6CBA03548C5DB021A05426665A2F98A69
                                                                                            SHA-512:E4FF466CEBA47C71046985AB1E62877BFC57D5A98F0E966C46F64FB23710C85CC2AA3BD2F4B0ABC134D18A501D7A01FFE881110FC57A8B5DDB07C89DCD4F3514
                                                                                            Malicious:false
                                                                                            Preview:MSFT................A...........................y................... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB...B..0C...C...C..\D...D..$E...E...E..PF...F...G..|G...G..DH...H...I..pI...I..8J...J...K..dK...K..,L...L...L..XM...M.. N...N...N..LO...O...P..xP...P..@Q...Q...R..lR...R..4S...S...S..`T...T..(U...U...U..TV...V...W...W...W..HX...X...Y..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\urgent-icon.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 96 x 96, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):2034
                                                                                            Entropy (8bit):7.799908493779348
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:Kx/KKALszjP5IDLdORyLx009AP4qDlMagUNI:0KRLsxInU0GAquYK
                                                                                            MD5:394CDED23C91F54DC1BAAD042F0BAF56
                                                                                            SHA1:7FF0C66CF2EFADB2BCEB3671D260AD66E51E60F2
                                                                                            SHA-256:EF828FB337878E4E2866898509B9C7CB644B25B2DD605B5BEB7AB7B6D1E8C10B
                                                                                            SHA-512:D91C5D49623DB77EF48E64826D5549A1D68F33557F48F449256E31ADC2AFA3DEF27065BEECF7214E464705EB548A897FC0DF9D4BA854771414FE08EF6885D87E
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...`...`......w8....sRGB.........IDATx..[ylTE...{.........B9....CL4^..."^..%.AM..D...E........P....$. ....9..-...m...m.v.u...}.m-.s..|.f...}3..|3.f.H@.0...Y....$..;.$@. .....H..# ...I.`..... ....`...$....l^z.$@0...K....F@.y.......6/=@. .....H..# ...I...........;.C[S..J .w..Tm....+.v..(].Z.....G.TMVm..<....<.w...O...E..X.|..Zo....A....s_..~...~O.`.x.)..."...^B...h8y......x ....4.ee.cD>..#m.}..h.....g...y...|.O!..1Q... .h...vB.........^x...|..)...T|.3T|....T..3...-.d.b.'.ACS...<."..Pw.$.>[..e.Dm. ...9.r^,.X......Q.zxK..N<...6%....BrA^D}4......B.....@...P..+.2...[...O...Po.....y ..<.k7.a..a...Z..K..`{;.6.....f...-~...s^..)X...+.6S...f......m>..B...q.Tl.N.-.p..\].N..O.`.B.....8..A:...9.s.X(;....4.*...U..U..~..N?..L..I.........!..j\..Sj.e.;...W*=.e..Vm..[.&L&....W..P+!......A....9....:..%.vS.nk..e.7..fO}...V%......k..4...b.'w.a.,...P.f..6..e....aix.H.;B../{ZI.`..U...f..F.^k...X.C..O..........5....2v...wKY.7.<h...-..t'.o{h..G..9

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\windows\TeamsLogo.contrast-black_scale-100.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1131
                                                                                            Entropy (8bit):7.539173215427748
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:i6HbSX/S2SGL2TdBHPpmpjAUZrIiCQaVKfkkcDj3gH2SHm:iYYS2SFXHPpm2KkhZlk0j42SHm
                                                                                            MD5:1F14FCD3E65F859B54982203541EAC28
                                                                                            SHA1:688A64E380D8D577734E5445841E5C1C475C2D9E
                                                                                            SHA-256:1C98830ABD041C4C169A2B2E067D44C7409D9936212239ED43821517CBAFAE81
                                                                                            SHA-512:BF25182DC4AC5CECB6A4F43B961385762190EFF0D652540046A855EEA821270756CFE85D10B6CD5B849CC1F5985B1F1703EEFD4F34DF5E979C149960AFCA5AF8
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............<.q.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx...Q.0.........t.d......L@2......&h6..4L.....W.:.........%...'.......7... ...b....@,.X .........b.X .@,......b.X..@,.. ...b....@,.X .........b.X .@,......b.X..@,.. ...b......x<.I.LC..J.(q.......".......f...{..5..>.Z.r..,.....)........i...P..y.^...}.4...7..Hu......7.;."..........".0#V.C.y.......5\.i......&;?;J.Hk.[....;1....B..3...}.^..>.c...#...*.*....*U..X.......#....$U.[.....W.H...]p...,b}.^.J....`.O. ...o...;..,..N2..e.t..w......O2......3......?.zK'...oy....<.+D}N5.t.0I..;Q...w.T........G}.m..<..c.%F.!.....;x*...+{.a.A.u.i2....."...2...../C.E.e..4E..A..(.r.UK..=)-q]......Zt..X ...b....@,.g.. .o..Q`7x...6..OFw...6.../&...x.. -..B_.....zN....|.t[$JR.....e.b.z~.l..8.t.S4.#...4_C.ht.......*..)O.|4..#..._....vN.zP.Q:..Uw;..N.2QG6.....-.a......?Rg...5'Z{..m..h...}b~...!...o[.jHu6..X.".e.|T.v.O.x%.e..F...O...n.R8HW.5..A.Ua.beWv1.L:.e...VO.&.J....8H.i."S..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\windows\TeamsLogo.contrast-white_scale-100.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):2635
                                                                                            Entropy (8bit):7.086781921567285
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:5/6sMYL4knA9WIYv/c0+M3LoHnsI18kkbcfF0/ncu0gefDClN:5SJYkknmWIYv/1oHnsI1Pkbct0Pr0ho
                                                                                            MD5:634A6CB092B6F24A978DDFFF4C61BD18
                                                                                            SHA1:BCA77AD5B31DAF62FF1F198DC7A284CF63B15D7C
                                                                                            SHA-256:B16531F0B4DD8C309A7FDFA3E221BA7831D08545147C329289C6BD1953D316CA
                                                                                            SHA-512:D3F593D3E1E84BD69F723896210EF8B637C869F8CAF7511838314B8629DD444BA4FBCA24F2ACDD783ECCB61309F206953DE2FA6DCCBF4534070665E6008D74E5
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............<.q.....pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CC 2019 (Windows)" xmp:CreateDate="2019-03-08T08:15:06-08:00" xmp:ModifyDate="2019-03-08T08:15:48-08:00" xmp:MetadataDate="2019-03-08T08:15:48-08:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:6af61333-b76c-b843-bbd5-fce416c4cc20" xmpMM:DocumentID="xmp.did:6af61333-b76c-b843-bbd5-fce416c4cc20" xmpMM:Origi

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\windows\TeamsLogo.scale-100.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 150 x 150, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):3320
                                                                                            Entropy (8bit):7.8690369426173135
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:zYf/U/+VqIxA7fag36qo1g4kDPA7rNpHxNwSToKuCk6Ugy2ovuPN/U/l:zg8WVvxAhqqo1pkap7aSToRCk601a89
                                                                                            MD5:B8D4762200AE6CF6DFC6095F99991BA5
                                                                                            SHA1:538AE061F49B6667EC9034FA89DC61D017585449
                                                                                            SHA-256:4DDF0BA7559045DE3AEEA53D437AE30AA454DDE43BF0CF6C8E17F62B9FDEDE0C
                                                                                            SHA-512:7CCDF4F8800E70046FB133FA36B1708653A02527749E91BA30A00A8118387447F03718C3E8BE97A23E1658A43526ACC033850CFE218DCF2CCF9017D4CAD089A1
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.............<.q.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..kl.............!(...p.F.M@Q..BP.4.i.&..J.&.*Em..i.~.*..D.(U...D.".%...MK..2.<...h.....?........{gw.......h.......{..;.a...>m... ...,.`A....... .`A...X... ...,..X.......,.`A....... ..A...X... ...,.`A....... .`A...X... ...,..X.......,.`A........0J..I*.rG.........6...rB..=<..`..T>Wi...2....B.J./e.m...,/.r..I4..R.pi.*.(.li.I.......X..U.......r`Jq...s.h..=.`..*..F...w...T.XJ.L.V..C.:5@......|[b.7....,Z.t..z5......\....]-..o.&....#O..j.. ...(.*..GC^..Uj.?=.Zy...~..h..U..f....h.H....47..+...,.& ...B.../.z........^i....^1..$4zy,].._...V...*....l.}.G..<..V.OlZ..*K.f/\g~...tN..m..rb1r.F..R..E.5..'...b...PV....=...+..#<.Z.O_..w.VU...M+_...L...~..#.~~..d..p.{/E.>.)5.P.<..@Q..J..Rb1bU.Uw.,.*+.$.).f.7k.x.Be./..V,._...5.|L.ZJ.....".....2.-#!I....[8.J.w..-.WS{.K..4..}..G..9.zYh.....M......C..m.,f%......Y.x..k.%R..3.V-..w...U.......i.)*.CUr.....l.H..~..jLU"......1..U...c.C...._..YZ

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\windows\TeamsLogoSmall.contrast-black_scale-100.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 71 x 71, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):649
                                                                                            Entropy (8bit):7.353929386715879
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7gEwQsr9/cGyCe+RN+EAal4AHCXsSElgkRz5xidKZzijLC2CCENj:/9/cGyC9zHS4yoidezijLrCCE9
                                                                                            MD5:99D2DC52EC927853379B1BA463CF10A0
                                                                                            SHA1:5B87D8B6B1E1B0708117688ED06C0D4FA5319542
                                                                                            SHA-256:A0954061763069D492CC980AA4739E80222C01B40950B3BE91512273911BF0E9
                                                                                            SHA-512:26536319D398135E0913E89C662ADEDFB4A3012AFDFB37CBE3D067861C0E157670727D46FA00C49AA5D1F31F457BF5275C0B3940DD84AF5DE24DF5882E375050
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...G...G.....U.Z.....tEXtSoftware.Adobe ImageReadyq.e<...+IDATx..m.0..q..2.#....e...t...P'h6.N@7...!l..........'......;.g..r....................p..p..p..p..p."..R..4'-I.V.9.s.."|r._..}.GVQ}..g...1.&.30{.g.{]..6..}.z...W.Y.v..4..lC..:...P.Mpn...*.`....gH..Z?..~.Q>^.2-...j...k.i".=...t..t...R.X.: .Ne<9....1.."@)...W+.M.........7.I.W....._;.Hql.@}.e...HgA...nu....E..rb...],...........H7.m...w..2...l.n.9.m..wpN-.1e@TrL.L....{.a...I...*-..&.......j.r.8.N......j....N.&w....>1...{+....9.f.Mck.]...@+z|....kr.yP.,.t....&p....w..U].}..\zs.....p..r.&q..n..'.@..p..p..p..p...8..8..8..8....#....m..A*.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\windows\TeamsLogoSmall.contrast-white_scale-100.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 71 x 71, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):2017
                                                                                            Entropy (8bit):6.767743953710028
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:T/6iMYL4knA9WIYJ/c0IR0Ry8RZ3IRFHns/OnTCMjFPn6cMPSliU:TSnYkknmWIYJ/OoTaFHns/OnTC0ZrM6P
                                                                                            MD5:86BABBCD8024350B7632657C07B69F95
                                                                                            SHA1:87338A33A60923F2F32427A004C3EA25DDA02255
                                                                                            SHA-256:CE98DB959DA190692BD87FB0532BC77357A12E2C5B859AEAA79F3DAF87855A71
                                                                                            SHA-512:6A386B053E94C7221D6824239CC80ADA0737D6A1958020728106E32E8412A12F0BFF16C96CE95B1958A326CBF7A0417B08E8309AEB01566C7449A46933C01BB7
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...G...G.....U.Z.....pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CC 2019 (Windows)" xmp:CreateDate="2019-03-08T08:15:06-08:00" xmp:ModifyDate="2019-03-08T08:16-08:00" xmp:MetadataDate="2019-03-08T08:16-08:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:535077a6-42f4-764f-bd87-0b0ebbb6f9b3" xmpMM:DocumentID="xmp.did:535077a6-42f4-764f-bd87-0b0ebbb6f9b3" xmpMM:OriginalDoc

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\windows\TeamsLogoSmall.scale-100.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 70 x 70, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):2495
                                                                                            Entropy (8bit):7.906370816474683
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:kMLk2Mj1uKzhu2SjSjnCI17Orjw5ToOgzRgxUjcA/lkK:knD119Sj67E0K2en
                                                                                            MD5:7352445DE0A65B9D4F64B5AE18321976
                                                                                            SHA1:7D0E4CE5656718C9D23D9830D8C8C97F1E1C290E
                                                                                            SHA-256:9FEA899073B001FB4ACA567CB48B3E4EBC49F9B501A3B4AD4D4735A1E80DD9E9
                                                                                            SHA-512:7152A086BCB13EF31F63F693183F88E8AD233352A41E0DC62B346127FFAFF62F6622F195FA44EB44ED618404F8EAE6610068FE11F875C56E731199DA23497CDB
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...F...F.....q......tEXtSoftware.Adobe ImageReadyq.e<...aIDATx..k..E....1;....+....z.@|F..x..H.....^b<5~0Fc4&j4$..g..4zQ.D.\......x..p..;...tY.S5.........~L.t........,.E...`.0...L.&......`~..V.C.q#.P.&u.Y.B.4=.\f.4../....6'0Dj.Q..i..a(`-.;..0.6.D~k.#@.`..HPRr.e9.._7..i. -../...m.V..dy..5.p...\+H.4Aa-..5..X.....k1Vf.=.1.L.v.....=..?B........b...G....]c..+..m..n.t..[.@........?...}t7...p1..v.S.]+U..\..@...._..E...s...0Jt..uo.s.2..5.&..m..(4.1...@....l`u>..K..'V.h.a5z.ew..`J.......@..S.P7..KH.v..d5b...F.Wz.isK.*...1W.~....V.m...F.....G...S....;.TaD.j.$..>....3.Z<wR.Z...+...s.....C.:....V.y.&....Wr...8P...Yq^.?..>...tu_...3..=FW.@....((.*..7I......Uj...J.%U.),....fl...\:.N.=w.,U...!Ys9...C"...'i1..-.....E.{..0I.O...$..}.]%BG..#x]sK..7.).....S'...'Om..L]'\....,.Q.........A.>P.....9[.b[\.........0...dS...?....z...I.N......H~..Eb..Y...!@x...p..K.&L0.K}6.Jn...g...v.......................lcB....R..*......a...`...$

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\windows\TeamsSquare44x44Logo.contrast-black_scale-100.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 44 x 44, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):526
                                                                                            Entropy (8bit):7.441841581427649
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7rRYpXb66UNBuctgRNXD60ZJtxl8eSvq3XIfI20JurFDo:46ctg/DSy3XQI20yW
                                                                                            MD5:CF719AF2B225A3A21A8A446A4AD4BB4D
                                                                                            SHA1:B56DA2E3CF704588ABE215E8E410B6835F74F436
                                                                                            SHA-256:FFA3E653D00276A6F71C02C25ABDA74495810F74D15EA99309044782437D7C6A
                                                                                            SHA-512:AC5EC1E9E179B20BB4CEB766C2D63041B773AA6626ADA39284066803CEF4DD799C0F301879A35D5701F90E6F280EF3439E7CFE4A9502AB83F9D61201F76E5DC4
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...,...,.......Z.....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..m.0.E/..0............m.Np#........r..J..C.0'*[..!.'.8.1....i.1S`.V......c.>.e.........g..-.;...g.6..&...K.0Fv.....l;.......0..b$..K._b...y...\..w>..X.....q=.J...R..)+..S.D.....U.W...IiJ1.;...Iw..?`..d..'.]........z.%/.F.U........u..*.v..q.....F..=+....5.0n..c..+..+....\..U..Db%._g....I...`...z.lC.o.s........2..S!..u.wQ.:.V..x1..T......A...../.O......ZM*.~.@E. .Un.!.zN.......1.N.lM.......M.......[.^......IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\windows\TeamsSquare44x44Logo.contrast-white_scale-100.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 44 x 44, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1850
                                                                                            Entropy (8bit):6.597390869066976
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:o/6m1hmYaWwjZknA9VYVhEdNT3UlCjWMmcI1VP9UVwU9Pq3VPcHH3XsGTmmtA7hD:o/6sMYL4knA9WIYojW/c0y63SHnsD/L
                                                                                            MD5:E3D96D88317BB7A6C5031D9A88ABF68B
                                                                                            SHA1:A3418CC9BCBF96C708052D6FE6D7DFC5542C5724
                                                                                            SHA-256:845C47F0B8ADDAE3F7B435E7EED1088DD6B4661E5DD8BCE87DF4E7C8FD3337C6
                                                                                            SHA-512:653BE53173AC24996AA581701A6316E6EE371D27A3DC0A1EE1EB6FDC2D0DD8D595869151047DCC84B097DAEF500BA9D53CC41172C085B97854B83CE4CB1B91C7
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...,...,.......Z.....pHYs.................iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:photoshop="http://ns.adobe.com/photoshop/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stEvt="http://ns.adobe.com/xap/1.0/sType/ResourceEvent#" xmp:CreatorTool="Adobe Photoshop CC 2019 (Windows)" xmp:CreateDate="2019-03-08T08:15:06-08:00" xmp:ModifyDate="2019-03-08T08:15:52-08:00" xmp:MetadataDate="2019-03-08T08:15:52-08:00" dc:format="image/png" photoshop:ColorMode="3" photoshop:ICCProfile="sRGB IEC61966-2.1" xmpMM:InstanceID="xmp.iid:11686f50-72c5-d64c-920c-afe2b040e003" xmpMM:DocumentID="xmp.did:11686f50-72c5-d64c-920c-afe2b040e003" xmpMM:Origi

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\assets\windows\TeamsSquare44x44Logo.scale-100.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 44 x 44, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):2186
                                                                                            Entropy (8bit):7.8605664218540445
                                                                                            Encrypted:false
                                                                                            SSDEEP:48:jz9l+cyIb3uIswJxUgK4VHj7BPzHpjo4KKcTPH1rfzQT0S9:37v16IswJxVHy4Jcpq9
                                                                                            MD5:D745C73AEFA52CADD7F30CE4CD8DA243
                                                                                            SHA1:F10160904D5139BBD335C6935A9BCCD4722A5BED
                                                                                            SHA-256:8DD5E165948C70FB8A3C2DD10749EBEC8C58D17CA0F046074ABF739A045A8C23
                                                                                            SHA-512:ECB6CC7D5DE4DC8D646D4D464543FADA55A78DAB6DDD5A9B97CE12246042CDD77D0D835CFDEDFEA8EB6B6464A860FD2BA7E93191C9629C0938696915304BA937
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...,...,.......Z....QIDATX..Y]..W...3.Y..~..&M.Tj".jA.......)R[....T.;.J+.xX.4...O.D..RQ......DMa.4..M.M...d............<..^g..<0.hf<w.~...|.;....v..|..W..VG.m..p.....q.LE........... m..........9......%..M....../N?.._ .....h....\,.~...K.K....t..?GDO6...w1.9....C...lhD.v.[.<L....;..A..h.q....?..sy.1f.Wj.....;..}..5....I}. 6/.$.....`..?...#......D....*..c.....S...x...rQB(.....!R.m...[....&^V...X.....@.~.9.-;v...X9...3..~..Yy.......Z.}X.D.M....a.1A.8!! .."..-`d.. .mRL.0.RN.cf...O?w..E.Y.L.X.....5...1..W....v.......p.fZ.KF13..J....f.W......x'..Yy`}.f....k.P>..G...,.F..u........t..cW.(.H]g...-+....*.}@.b_.....U.}eP.k..5.,.r*nbv..|.....x........8.:..Bx]e%....]...L.0.:.`.\...}...e(..vL..b.X.1.....4|.....).&...<xsb.....}...U=.......o.^?2....XXc...$.D$.....D...-...3P4].RE.....;.G..fH.22..C....bhh...Y.e....^:.....5.]..z.LJY.l.........q_{..}........~...sw.......8td.#............`...........^Jo.......g..<.\.5.Z...4B[...0..XLC{.....l.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\culture_mapping_Desktop.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):4413
                                                                                            Entropy (8bit):4.424534886531237
                                                                                            Encrypted:false
                                                                                            SSDEEP:96:7bl7X7HA9dBOdNtWLchY5F6LbFc0/p7DKcOjxVh39FRH/7Gd:vlr7g9dBOdN0ghY5F6H3YDjxVh39Pf7A
                                                                                            MD5:76CB1AA8C4A50B175B5B252027A564C1
                                                                                            SHA1:5DCD384271E81380F1544E3D091FE9D869335788
                                                                                            SHA-256:C46A5C13DA6D8973F7E0A90B63BB0F76C4829E9EDBCD66B4549BF8B76E65E002
                                                                                            SHA-512:48EB5238F013E4E19F1E6754885A6982F5DB40F16FB056C921DB2F92DA916F05E166DE8E4CE79FD91D39B5E584B6D0961AC1B7AC830DB8C3E4E70EA5DB253EAB
                                                                                            Malicious:false
                                                                                            Preview:{.. "cultures": {.. "af-za": "locale-af-za.json",.. "sq-al": "locale-sq-al.json",.. "am-et": "locale-am-et.json",.. "ar-sa": "locale-ar-sa.json",.. "hy-am": "locale-hy-am.json",.. "as-in": "locale-as-in.json",.. "az-latn-az": "locale-az-latn-az.json",.. "bn-bd": "locale-bn-bd.json",.. "bn-in": "locale-bn-in.json",.. "eu-es": "locale-eu-es.json",.. "be-by": "locale-be-by.json",.. "bs-cyrl-ba": "locale-bs-cyrl-ba.json",.. "bs-latn-ba": "locale-bs-latn-ba.json",.. "bg-bg": "locale-bg-bg.json",.. "ca-es": "locale-ca-es.json",.. "chr-cher-us": "locale-chr-cher-us.json",.. "zh-cn": "locale-zh-cn.json",.. "zh-tw": "locale-zh-tw.json",.. "hr-hr": "locale-hr-hr.json",.. "cs-cz": "locale-cs-cz.json",.. "da-dk": "locale-da-dk.json",.. "prs-af": "locale-prs-af.json",.. "nl-nl": "locale-nl-nl.json",.. "en-us": "locale-en-us.json",.. "en-gb": "locale-en-gb.json",.. "et-ee": "locale-et-ee.json",.. "NULL": "locale-ee.jso

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-ar-sa.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):31635
                                                                                            Entropy (8bit):5.190835578819602
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:VW0dwZzELuVFfcGrGn1szZ/sWwFx82O6C66/KdLOigoBenMkVUc0jMtnlqFfzYOU:VW0dwZzsujfmnwOWws2O6pGKdLOigoBi
                                                                                            MD5:2C8658509A0515474B52C899A500E0CB
                                                                                            SHA1:315E2AC511CECBDBB48214E35DD4D77004CB2527
                                                                                            SHA-256:C1EB0366C73D9C3520B8FF7BD178553374AEDF6F1DB197A7F85ED960EC022721
                                                                                            SHA-512:7E754FB4B9B48132A586B2156CDFE6F6008EFEAD13D3826E071A889AFA3727180476C5E316DBED8DC1D6BB075BE54B4C85FDA9AD93E90447A71C95860FF3B997
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "ar-sa",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "....... ........ .. Teams",.. "tray_do_not_auto_start_button_text": "... ..... Teams ........",.. "tray_exit_button_text": ".....",.. "tray_exit_multi_account_button_text": "..... .. ........",.. "tray_signout_button_text": "..... ......",.. "tray_my_status_text": ".....",.. "tray_get_logs_text": "...... ... .......",.. "tray_get_support_files_text": "..... ..... .....",.. "tray_status_available_text": ".....",.. "tray_status_busy_text": ".....",.. "tray_status_donotdisturb_text": "..... .......",.. "tray_status_away_text": ".......",.. "tray_status_berightback_text": "..... .....",.. "tray_status_appearaway_text": "...... .......",.. "tray_status_resetstatus_text": "..... ..... .

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-az-latn-az.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27986
                                                                                            Entropy (8bit):5.09769108191687
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:8ZB2bJpsMFWEA21768f7qGVE3nrnNHSCnf5Q17kb7S9TEv2m:8Z2Fr188f7qGVE3nrnNHSCnf5Q17C7SC
                                                                                            MD5:07D8100F82DF3550BB9913F1CD76AE02
                                                                                            SHA1:3B072A8941ED88D153289E7A9C3AD6CC9E8F1178
                                                                                            SHA-256:DEE0D516395371058382E3E04104D0A5A8F6A4457F8473BB17D45BAA5327646B
                                                                                            SHA-512:4232619434315CEE22F4C3D71AE73480BDBDD46331284D124F80FD56F3774E84C43731D6FE100B495BBB56DA209940901E0B13420AD4A1F80FD4FED6217C40F1
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "az-latn-az",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Teams-i avtomatik ba.lat",.. "tray_do_not_auto_start_button_text": "Teams-i avtomatik ba.latma",.. "tray_exit_button_text": "..x..",.. "tray_exit_multi_account_button_text": "B.t.n hesablardan ..x",.. "tray_signout_button_text": "..x",.. "tray_my_status_text": "V.ziyy.tim",.. "tray_get_logs_text": "Jurnallar .ld. et",.. "tray_get_support_files_text": "D.st.k fayllar.n. toplay.n",.. "tray_status_available_text": "M.mk.n",.. "tray_status_busy_text": "M...ul",.. "tray_status_donotdisturb_text": "Narahat etm.yin",.. "tray_status_away_text": "Yerind. deyil",.. "tray_status_berightback_text": "Tez geri qay.dacam",.. "tray_status_appearaway_text": "Yerind. deyil kimi g.r.n",.. "tray_status_resetstatus_text": "V.ziyy.ti s.f.rlay.n",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notifica

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-bg-bg.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):35484
                                                                                            Entropy (8bit):5.107617713911127
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:aZq1iGesbMv3wxeyiELFSZ+u2T8E+k55LI1iY1bIsY9o7wHn:aZqw4Mv3w9iELFSZ+u2T8E+k55LI1iY2
                                                                                            MD5:43E7FE1EB19FA803E4FA3AFC445951F3
                                                                                            SHA1:3F330088BBEF3A40D0976CFFD65219EDFB55116B
                                                                                            SHA-256:423598E5D437047EC32AB048A110BEBDE4CFBB2F6F77DB716D0069640B0F3883
                                                                                            SHA-512:82B2092F3B6219BC9E4DA73E6122166DA99B921953AB83A6F46536FAB2E4FCCDC9AC2872403B32FBC2C6031BEDC38ED4B5F85FB6251840BCCDCF4CCB597779D3
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "bg-bg",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "......... ........... Teams",.. "tray_do_not_auto_start_button_text": ".. ......... ........... Teams",.. "tray_exit_button_text": ".....",.. "tray_exit_multi_account_button_text": "..... .. ...... .......",.. "tray_signout_button_text": "........",.. "tray_my_status_text": "..... .........",.. "tray_get_logs_text": "......... .. ........",.. "tray_get_support_files_text": "........ .. ....... .. .........",.. "tray_status_available_text": ".......",.. "tray_status_busy_text": "....",.. "tray_status_donotdisturb_text": ".. .. ..........",.. "tray_status_away_text": ".........",.. "tray_status_berightback_text": "...... .. .... .....",.. "tray_status_appearaway

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-ca-es-valencia.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27771
                                                                                            Entropy (8bit):4.78357923150424
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:4ZkQrkYtz/Ds7e/Sb5FEwx3n57ryP3k600kDjKwiUHRniGJvdzh1ZtT0KNpYh/Fz:4ZkQrkYxDSb5FEwx35600kDjKwiUHRny
                                                                                            MD5:E3D87DDD746F448542661EA694EA3D95
                                                                                            SHA1:695DC18F3A31A95283E635CE4B59B1DBDFFC1477
                                                                                            SHA-256:E193DEBC2E98446448A6D3F98539CFDDAB6CB30E30C9E6276CB2BB0ACFD8C626
                                                                                            SHA-512:F735ACFAD66AEC9AB20D2BD792B175F3076B8CEF2D2B460EB695598589E10B6D0B7305006736737DEEE4D0D902E0BABECB715F1C973986D6D533252D969014F1
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "ca-es",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Inicia el Teams autom.ticament",.. "tray_do_not_auto_start_button_text": "No inicies el Teams autom.ticament",.. "tray_exit_button_text": "Ix",.. "tray_exit_multi_account_button_text": "Ix de tots els comptes",.. "tray_signout_button_text": "Tanca la sessi.",.. "tray_my_status_text": "El meu estat",.. "tray_get_logs_text": "Obt.n els registres",.. "tray_get_support_files_text": "Recopilaci. dels fitxers de suport",.. "tray_status_available_text": "Disponible",.. "tray_status_busy_text": "Ocupat",.. "tray_status_donotdisturb_text": "No molesteu",.. "tray_status_away_text": "Absent",.. "tray_status_berightback_text": "Torne de seguida",.. "tray_status_appearaway_text": "Mostra'm com a absent",.. "tray_status_resetstatus_text": "Restableix l'estat",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_te

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-ca-es.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27765
                                                                                            Entropy (8bit):4.785786443752486
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:AZu6/kfOYsLscGH5FxwNN3nuw0y8600E/OJwiUHRqDKJvdz0Y6oZtTvhNpYh/BC8:AZu6/kf3YGH5Fxw/30600E/OJwiUHRq1
                                                                                            MD5:7A863935C1C96135722BFEC55CA535A5
                                                                                            SHA1:675BAEE21C0AED82A8B8ECA52D3EC5FFFC4C8628
                                                                                            SHA-256:9A020D2F5135E2FC4A3AFCEB4A4C90CF5CB0412FBA169822E1344D5A8AA4F979
                                                                                            SHA-512:DFE3BBDBCE2266BB75C4893B8BBA86A27DEF3459BD11DAA331CB6F8473FF2FEBA5B66CE42F2A9B11C12030F5812CA360BFD16637F4ABA373B22A9B6705FF44AB
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "ca-es",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Inicia el Teams autom.ticament",.. "tray_do_not_auto_start_button_text": "No inici.s el Teams autom.ticament",.. "tray_exit_button_text": "Surt",.. "tray_exit_multi_account_button_text": "Surt de tots els comptes",.. "tray_signout_button_text": "Tanca la sessi.",.. "tray_my_status_text": "El meu estat",.. "tray_get_logs_text": "Obt.n els registres",.. "tray_get_support_files_text": "Recopilaci. dels fitxers de suport",.. "tray_status_available_text": "Disponible",.. "tray_status_busy_text": "Ocupat",.. "tray_status_donotdisturb_text": "No molesteu",.. "tray_status_away_text": "Absent",.. "tray_status_berightback_text": "Torno de seguida",.. "tray_status_appearaway_text": "Apar.ixer com a Absent",.. "tray_status_resetstatus_text": "Restableix l'estat",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_con

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-cs-cz.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27338
                                                                                            Entropy (8bit):5.047758861707128
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:sZs/3AYstpPjVA8TaNvcB6H9BfCfIxjY1nPHsNJPbnW36gWGgDJ+BT:sZs4NpPj28ovcI9BfCfIxjY1nPHsNJPa
                                                                                            MD5:493D4277408D64E9E7A3B7A527E5D548
                                                                                            SHA1:39725B1EFD4F918EBAC1041C4C76B3D98254DEA9
                                                                                            SHA-256:523FD3BA3A028D7AC20DC9C2F20BD2614A41D28460E8DF6C0EA319DD9FFA3494
                                                                                            SHA-512:287BDB597301BA9F6372B0073A4C504034859C9440A72E43A0406FDD19846D24881238A4762B2321E2D17818A36D5EE3D767F7EBDA856C0C821B049CFC6893F6
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "cs-cz",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Automaticky spou.t.t Teams",.. "tray_do_not_auto_start_button_text": "Nespou.t.t Teams automaticky",.. "tray_exit_button_text": "Ukon.it",.. "tray_exit_multi_account_button_text": "Ukon.it v.echny ..ty",.. "tray_signout_button_text": "Odhl.sit se",.. "tray_my_status_text": "M.j stav",.. "tray_get_logs_text": "Z.skat protokoly",.. "tray_get_support_files_text": "Shrom..dit podp.rn. soubory",.. "tray_status_available_text": "Online",.. "tray_status_busy_text": "Nem.m .as",.. "tray_status_donotdisturb_text": "Neru.it",.. "tray_status_away_text": "Pry.",.. "tray_status_berightback_text": "P.ijdu hned",.. "tray_status_appearaway_text": "Zobrazit jako pry.",.. "tray_status_resetstatus_text": "Obnovit stav",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Aplikace Microsoft Team

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-cy-gb.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):26718
                                                                                            Entropy (8bit):4.822677918501717
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:QZpgVauUO+sgtB5eLFldTUITPDwqj44qpZfH/Ov7lNpNPo6TVt96b:QZpS+deLFPPDwqj44qpZfH/Ov7lNpNPU
                                                                                            MD5:D5CAB560E5F2D3A220601087EFDE7CB3
                                                                                            SHA1:2A0C9E2D48E6DF47BA41A16A475D0B2E50622590
                                                                                            SHA-256:11A7C00E0307D8212ED61DF0FE906D717C6BDF2BE03DCB87A8808AC4E88A45C6
                                                                                            SHA-512:3822E8C143D8AC5929E6FB3739BE747A6DF47F48B215835C3565164AD2E57E410239C22B5FEAF478D3D2AEACBDBC51BB90B3448B31B2C38421247AF70BED66FE
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "cy-gb",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Cychwyn Teams yn awtomatig",.. "tray_do_not_auto_start_button_text": "Peidio cychwyn Teams yn awtomatig",.. "tray_exit_button_text": "Rhoi.r Gorau Iddi",.. "tray_exit_multi_account_button_text": "Gadael pob cyfrif",.. "tray_signout_button_text": "Allgofnodi",.. "tray_my_status_text": "Fy statws",.. "tray_get_logs_text": "N.l y logiau",.. "tray_get_support_files_text": "Casglu ffeiliau cymorth",.. "tray_status_available_text": "Ar gael",.. "tray_status_busy_text": "Yn brysur",.. "tray_status_donotdisturb_text": "Ddim ar gael",.. "tray_status_away_text": "Ddim yma",.. "tray_status_berightback_text": "N.l mewn munud",.. "tray_status_appearaway_text": "Ymddangos fel ddim yma",.. "tray_status_resetstatus_text": "Ailosod y statws",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Mae Microsoft Te

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-da-dk.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):26179
                                                                                            Entropy (8bit):4.789049367120409
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:nZp94AFwnsRPuU9BZ5PbvYJqCdEJ04OqU4InUzlp3hVHj0NwN7Io:nZ/u0PbvYJqCdEJLrrInUzlp3hVHj0Ne
                                                                                            MD5:84FBD0ABDC3EAC10F7A7F256C0727043
                                                                                            SHA1:005D8F456A8041889D3E63D3F8F91FEE06176380
                                                                                            SHA-256:3FBC754AA43B3C0FA3A87A7CF140FB3160FC768F20FED92D6C4F8ADFB712E2F9
                                                                                            SHA-512:86E3B6C81EB215E7BE269F68403821BAA73ABDDBC48011E7ECBDE7C4955A8BDD9E0B5878D8DD05B9590EAAFE96277EB72DDF9B1846B44AF0AB0456071ECDD9CB
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "da-dk",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Start Teams automatisk",.. "tray_do_not_auto_start_button_text": "Start ikke Teams automatisk",.. "tray_exit_button_text": "Afslut",.. "tray_exit_multi_account_button_text": "Afslut alle konti",.. "tray_signout_button_text": "Log af",.. "tray_my_status_text": "Min status",.. "tray_get_logs_text": "Hent logfiler",.. "tray_get_support_files_text": "Indsaml supportfiler",.. "tray_status_available_text": "Online",.. "tray_status_busy_text": "Optaget",.. "tray_status_donotdisturb_text": "Vil ikke forstyrres",.. "tray_status_away_text": "Ikke til stede",.. "tray_status_berightback_text": "Er straks tilbage",.. "tray_status_appearaway_text": "Vis som Ikke til stede",.. "tray_status_resetstatus_text": "Nulstil status",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams k.rer stadig, og d

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-de-de.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):28229
                                                                                            Entropy (8bit):4.801436768930744
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:PDZzPSYSvTlgIJsxg/AlxofL3B6PBTr/OywtXNbi75HEH9bpt+uAMv3bVGP1zEo:PDZzPRsTKAAlKfN6PBTr/OywtXNbi75b
                                                                                            MD5:F0CB431FE6F4DF8AFE2EE0C8B13A9D9B
                                                                                            SHA1:9D71BC1CFA9E4569FF958D09D087E58E72343444
                                                                                            SHA-256:064C63E2071ECF277D61E9FC4214509E6FB57153B22E60251DC9F886CFC3AC61
                                                                                            SHA-512:AEE07D4E4F92BF035779E0E00AE30064F5CE50232F01E25BF51B5B39C85CA6F92037E775A924E120E01F6696E88508E625C165FBAF319F2F503F5DB6DCADEDA0
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "de-de",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Teams automatisch starten",.. "tray_do_not_auto_start_button_text": "Teams nicht automatisch starten",.. "tray_exit_button_text": "Beenden",.. "tray_exit_multi_account_button_text": "Beenden aller Konten",.. "tray_signout_button_text": "Abmelden",.. "tray_my_status_text": "Mein Status",.. "tray_get_logs_text": "Protokolle abrufen",.. "tray_get_support_files_text": "Supportdateien erfassen",.. "tray_status_available_text": "Verf.gbar",.. "tray_status_busy_text": "Besch.ftigt",.. "tray_status_donotdisturb_text": "Nicht st.ren",.. "tray_status_away_text": "Abwesend",.. "tray_status_berightback_text": "Bin gleich zur.ck",.. "tray_status_appearaway_text": "Als abwesend anzeigen",.. "tray_status_resetstatus_text": "Status zur.cksetzen",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-el-gr.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):37949
                                                                                            Entropy (8bit):5.174337795233927
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:5Z4sg2gqn8p1YsnFmOWlbQt12a8+ccJIePh25M4xdotEOK8Qbh8zBuDxkR6I4ai0:5Z1g2g0nlbQT2a8ZcJjh25MQyEOK8Qbw
                                                                                            MD5:3E0AC7460A6A7F4FC75870C3A39C844C
                                                                                            SHA1:52AF89EA50BF7797D126CC491DFB20811D66F56E
                                                                                            SHA-256:9F04D3633AD7B7B54F57CE80E7D63A4DA188C5FB2528DF4F137C795F65F13EF3
                                                                                            SHA-512:B5D681188030B5B42E0B95F64BBCC415A3815E57A6F8FE85BA03ADB486F94D2A37C3CBBCE3288494F93414518B17C6E6D6372ABE161909E704BE69255BE18FFE
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "el-gr",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "........ ........ ... Teams",.. "tray_do_not_auto_start_button_text": "..... ........ ........ ... Teams",.. "tray_exit_button_text": "......",.. "tray_exit_multi_account_button_text": "........... .... ... ...........",.. "tray_signout_button_text": "..........",.. "tray_my_status_text": ". ......... ...",.. "tray_get_logs_text": ".... ....... ..........",.. "tray_get_support_files_text": "....... ....... ...........",.. "tray_status_available_text": "..........-.",.. "tray_status_busy_text": ".............",.. "tray_status_donotdisturb_text": "... .........",.. "tray_status_away_text": ".....",.. "tray_status_berightback_text": "......... ......

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-en-au.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):22535
                                                                                            Entropy (8bit):4.725357544221275
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:UVk0Zh1BwbNhCsbdz3ysTieABpEQpyyilFB1w+vH1xLfM+1BWA1ZXhUsAiLf/BjU:+ZIhCsbdz3ysTieui1xLfM+1BWA1ZXh0
                                                                                            MD5:E565995D6A82594E3FB5AF7DEA0CD30C
                                                                                            SHA1:0257E9EBB7A1490C9994B2C0E76591C54926E1CD
                                                                                            SHA-256:45567EC2432C645F47FBCE7920C1A5B9C461D8C51CAD20654C805C28253D402B
                                                                                            SHA-512:AD12EA77A7D04EE96A94B6C35F31142B05C577749E56001E3D5AD723EA211F82A5612F0869C10F9942F09A1C02A0A6EDAAB6C65AE1D72D0DC5D041FA6A084FCA
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "en-au",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Auto-start Teams",.. "tray_do_not_auto_start_button_text": "Do not auto-start Teams",.. "tray_exit_button_text": "Quit",.. "tray_exit_multi_account_button_text": "Quit all accounts",.. "tray_signout_button_text": "Sign out",.. "tray_my_status_text": "My status",.. "tray_get_logs_text": "Get logs",.. "tray_get_support_files_text": "Collect support files",.. "tray_status_available_text": "Available",.. "tray_status_busy_text": "Busy",.. "tray_status_donotdisturb_text": "Do not disturb",.. "tray_status_away_text": "Away",.. "tray_status_berightback_text": "Be right back",.. "tray_status_appearaway_text": "Appear away",.. "tray_status_resetstatus_text": "Reset status",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams is still running and you will continue to receive notifications.",

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-en-gb.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):25065
                                                                                            Entropy (8bit):4.726407866473522
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:oZfhCsbSz3ysTieuu1xLfM+1BWA1ZXhVZUsAiLf7J/BjV9QcLiB:oZXE3yAiG1xLfM+1BWA1ZXhVZUsAiLfe
                                                                                            MD5:8FB72A8EC9200E7FCF4A178093AE7455
                                                                                            SHA1:A033CC61CDCEB6ACAB32A824FBD08CDB164E704A
                                                                                            SHA-256:BC6D0A968CE36BDDD6FDFBB74509B207DF52D23372E2DB790F53E959B18A9349
                                                                                            SHA-512:3A5115DB6ADBF19FCF92523348E227BAE5E0FDB6ABA119E40F709FB92226E445EA363AC870162E591832A09C837A4C88B9B2414223BC7F306C547249FE8374B4
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "en-us",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Auto-start Teams",.. "tray_do_not_auto_start_button_text": "Do not auto-start Teams",.. "tray_exit_button_text": "Quit",.. "tray_exit_multi_account_button_text": "Quit all accounts",.. "tray_signout_button_text": "Sign out",.. "tray_my_status_text": "My status",.. "tray_get_logs_text": "Get logs",.. "tray_get_support_files_text": "Collect support files",.. "tray_status_available_text": "Available",.. "tray_status_busy_text": "Busy",.. "tray_status_donotdisturb_text": "Do not disturb",.. "tray_status_away_text": "Away",.. "tray_status_berightback_text": "Be right back",.. "tray_status_appearaway_text": "Appear away",.. "tray_status_resetstatus_text": "Reset status",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams is still running and you will continue to receive notifications.",

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-en-us.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):68807
                                                                                            Entropy (8bit):4.694872873668982
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:XCY37boQmy2q343xOqascNgRF0PGOSqenF5SC1i9pXKPxViRpN6glK+5iEDayctd:XCY37bpT74zE2J
                                                                                            MD5:6B2DE8E671982E2138B853CCCB701F7A
                                                                                            SHA1:B0F0E579288B2E3C857C43FFC6864221F046009F
                                                                                            SHA-256:C2F8BE54AA76F1B216D0FDE983631B8E0C0414A104DFE39FEDF595DD8F4414FC
                                                                                            SHA-512:014AF2C29A6FB444964843A62D03571BD612EDA7A468F0FB74502BAFA015F5299E58A37A2D6B77283AD1FB90063F9C2B3F3F01B257B70A928181F31323E3403E
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "en-us",.. "strings": {.. "ellipsis_text": "...",.. "_ellipsis_text.comment": "Text for ellipsis string",.. "tray_auto_start_button_text": "Auto-start Teams",.. "_tray_auto_start_button_text.comment": "Auto-start radio button text on tray submenu",.. "tray_do_not_auto_start_button_text": "Do not auto-start Teams",.. "_tray_do_not_auto_start_button_text.comment": "Do not auto-start radio button text on tray submenu",.. "tray_exit_button_text": "Quit",.. "_tray_exit_button_text.comment": "Quit button text on Tray icon",.. "tray_exit_multi_account_button_text": "Quit all accounts",.. "_tray_exit_multi_account_button_text.comment": "Quit button text on Tray icon for all accounts when there are more than 1 accounts",.. "tray_signout_button_text": "Sign out",.. "_tray_signout_button_text.comment": "Sign out (action) item text for system tray menu",.. "tray_my_status_text": "My status",.. "_tray_my_status_text.comment": "System tray me

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-es-es.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27532
                                                                                            Entropy (8bit):4.733977803861928
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:9ZeuET9sLOVYY1DAW2yA8medjqDolIr7IS+oUx4/ltmjZ2WlF:9ZeqKsW2yA8medjqDolIr7IS+oUx4/lm
                                                                                            MD5:0589F4A823B083E93E68D750BD130894
                                                                                            SHA1:3889B3743FA518197E68066D09F3F9948A4E8B5A
                                                                                            SHA-256:6719D566030EE2084FA2A7FF80CE16DC9D6E5D034EA460E630267DA3676189B0
                                                                                            SHA-512:37CC99A417002D26BDFB67FA00078A0A6D23E863F31E39654849A19440C0E1273959BF794C55BDED4F2B71A9F33299EB3C53A8227DD407982D6CA928AB49AD7E
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "es-es",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Iniciar Teams autom.ticamente",.. "tray_do_not_auto_start_button_text": "No iniciar Teams autom.ticamente",.. "tray_exit_button_text": "Salir",.. "tray_exit_multi_account_button_text": "Salir de todas las cuentas",.. "tray_signout_button_text": "Cerrar sesi.n",.. "tray_my_status_text": "Mi estado",.. "tray_get_logs_text": "Obtener registros",.. "tray_get_support_files_text": "Recopilar archivos de soporte",.. "tray_status_available_text": "Disponible",.. "tray_status_busy_text": "Ocupado",.. "tray_status_donotdisturb_text": "No molestar",.. "tray_status_away_text": "Ausente",.. "tray_status_berightback_text": "Vuelvo enseguida",.. "tray_status_appearaway_text": "Aparecer como ausente",.. "tray_status_resetstatus_text": "Restablecer estado",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Mi

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-es-mx.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27501
                                                                                            Entropy (8bit):4.7348605674199895
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:wZLPnDQsSyVNe4gr0yA8medjqDe1+rAIS+oUx4+AtmjZGWvF:wZLdetr0yA8medjqDe1+rAIS+oUx4+Ac
                                                                                            MD5:F27CFB9AB5025FD2AC63010D1CC8B928
                                                                                            SHA1:C98AE2373B947272708DF496FB2B1D1418DBC59B
                                                                                            SHA-256:2D3A3170ED35AEED85FDE0876DFE94A682EE5A7A7FB55138F4FFBA78E28A0D9D
                                                                                            SHA-512:7FB71D5B257D140DB98730471216FB5AA75A95AE925E10531C43ACCB3AFEEC80AAEB060B8DB88D362002418E2748E54F73F225AE01C137B07D5A3FE942C4F009
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "es-mx",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Iniciar Teams autom.ticamente",.. "tray_do_not_auto_start_button_text": "No iniciar Teams autom.ticamente",.. "tray_exit_button_text": "Salir",.. "tray_exit_multi_account_button_text": "Salir de todas las cuentas",.. "tray_signout_button_text": "Cerrar sesi.n",.. "tray_my_status_text": "Mi estado",.. "tray_get_logs_text": "Obtener registros",.. "tray_get_support_files_text": "Recopilar archivos de soporte",.. "tray_status_available_text": "Disponible",.. "tray_status_busy_text": "Ocupado",.. "tray_status_donotdisturb_text": "No molestar",.. "tray_status_away_text": "Ausente",.. "tray_status_berightback_text": "Vuelvo enseguida",.. "tray_status_appearaway_text": "Aparecer como ausente",.. "tray_status_resetstatus_text": "Restablecer estado",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Mi

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-et-ee.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):26325
                                                                                            Entropy (8bit):4.789681446057841
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:ZZx7szs4EYXb656EP9Zfo9v9SMtzAVg1R7u5zktvXE6Z3/e:ZZub65dP9Zfo9v9SMtzAVg1R7u5zktvw
                                                                                            MD5:8EEE6AD730582AD63EF24F3F1A1B6E15
                                                                                            SHA1:D88EE6B68FF91340C43DCDAF6E2299617364C32E
                                                                                            SHA-256:F0EBDE0E734AFB55329A300ABF3DBC13514E6B077012787582DDAC56453A5A30
                                                                                            SHA-512:CCBB45E9C2B6E2151A50FB177E356DD585501CC6EBA36EACF927892E80106E747B23A06691D3CB7C5A03E1AF57A6A04B606C99E82326052A3AC4C7ECBB70E20A
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "et-ee",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "K.ivita Teams automaatselt",.. "tray_do_not_auto_start_button_text": ".ra k.ivita Teamsi automaatselt",.. "tray_exit_button_text": "V.lju",.. "tray_exit_multi_account_button_text": "Peata k.ik kontod",.. "tray_signout_button_text": "Logi v.lja",.. "tray_my_status_text": "Minu olek",.. "tray_get_logs_text": "Too logid",.. "tray_get_support_files_text": "Kogu tugifaile",.. "tray_status_available_text": "Saadaval",.. "tray_status_busy_text": "H.ivatud",.. "tray_status_donotdisturb_text": "Mitte segada",.. "tray_status_away_text": "Eemal",.. "tray_status_berightback_text": "Tulen kohe tagasi",.. "tray_status_appearaway_text": "Kuva olek Eemal",.. "tray_status_resetstatus_text": "L.htesta olek",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams t..tab ja sa saad endiselt tea

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-eu-es.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):26625
                                                                                            Entropy (8bit):4.72073854812862
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:gZCwqGPsDZ9PeibG15spXNyg4IxJRWEDrE+LEjWtPWYZdtSI9qSfu9y:gZCwCBeiCzspdyg4IxJRWEDrE+LEjWtV
                                                                                            MD5:FB86F577CBC946ABC10A6C863786BC31
                                                                                            SHA1:942CA05B17D00D89C652D53B4A1239345055B33C
                                                                                            SHA-256:CBF04454EBCF606A4181B0BF1B5E6E8F4FDA6F8762371D9F14DD170D684F66B7
                                                                                            SHA-512:60ECB5745C27097D7B9B5432890C7E6626D2908B94B4A1BF2CEEE61C1B9200B2AF66CC4AC90164E8C3CE304501CFE322B50D6BE5470CDC348198E9149BFA5A85
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "eu-es",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Abiarazi automatikoki Teams",.. "tray_do_not_auto_start_button_text": "Ez abiarazi automatikoki Teams",.. "tray_exit_button_text": "Irten",.. "tray_exit_multi_account_button_text": "Kendu kontu guztiak",.. "tray_signout_button_text": "Itxi saioa",.. "tray_my_status_text": "Nire egoera",.. "tray_get_logs_text": "Lortu egunkariak",.. "tray_get_support_files_text": "Bildu laguntza-fitxategiak",.. "tray_status_available_text": "Libre",.. "tray_status_busy_text": "Lanpetuta",.. "tray_status_donotdisturb_text": "Ez molestatu",.. "tray_status_away_text": "Kanpoan",.. "tray_status_berightback_text": "Segituan nator",.. "tray_status_appearaway_text": "Agertu kanpoan banengo bezala",.. "tray_status_resetstatus_text": "Berrezarri egoera",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams ex

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-fi-fi.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27056
                                                                                            Entropy (8bit):4.802776184179091
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:mZ+pKbM1ZkmsBiqQP5SAe+WKwYj87OVjbOcKJABEeE8JAuei9fQdL:mZPbiqwSAe+WKwYj8q5KcKJABEeE8JAt
                                                                                            MD5:E9F0767F782BFC411826D0F2579DB4D2
                                                                                            SHA1:652E5476547C4261FEF1951DB85E85CF4D6DC4F8
                                                                                            SHA-256:D63F20E946500654C1B5BF43BC70F2B8DE0DE063C2CC8A9546609C02D232CD2F
                                                                                            SHA-512:B641A7A51CECBD50C38D28AFA0D446A1D891B0B4BACF7DD143C1A926AC545397F11CBA31896217FB2716795083D9E94C20CA6234AD83822B1E770512C4B5E97F
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "fi-fi",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "K.ynnist. Teams automaattisesti",.. "tray_do_not_auto_start_button_text": ".l. k.ynnist. Teamsia automaattisesti",.. "tray_exit_button_text": "Lopeta",.. "tray_exit_multi_account_button_text": "Sulje kaikki tilit",.. "tray_signout_button_text": "Kirjaudu ulos",.. "tray_my_status_text": "Oma tila",.. "tray_get_logs_text": "Hae lokit",.. "tray_get_support_files_text": "Ker.. tukitiedostoja",.. "tray_status_available_text": "Tavoitettavissa",.. "tray_status_busy_text": "Varattu",.. "tray_status_donotdisturb_text": ".l. h.iritse",.. "tray_status_away_text": "Poistunut",.. "tray_status_berightback_text": "Palaan pian",.. "tray_status_appearaway_text": "N.y poistuneena",.. "tray_status_resetstatus_text": "Palauta tila",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams on k

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-fil-ph.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27296
                                                                                            Entropy (8bit):4.704092620803426
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:OZgXPUUsZgUzSwZao1DP5xLp8Ii0xkR6S3lpNpB1Zm9h9LuZ:OZlg3o1DP5xLp8Ii0xkR6S3lpNpB1Zme
                                                                                            MD5:FC1129849EF0E1B4579564F06E141208
                                                                                            SHA1:54F59AE1CB502C10C2DC73E16D0C17494D086903
                                                                                            SHA-256:9FE86D3E26413FD471794A872475D767BB53C94B23402A7A7D321962D659F823
                                                                                            SHA-512:4B6F4A29C69BCFE71716DFBA3B591BD988ECB8665EB1C23B219392C65597F587470D59FC5CF0BB181BFE6A8ABBC0630B45B6FFA41432FF3C4835105D771FB750
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "fil-ph",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Awtomatikong simulan ang Teams",.. "tray_do_not_auto_start_button_text": "Huwag awtomatikong simulan ang Teams",.. "tray_exit_button_text": "Lumabas",.. "tray_exit_multi_account_button_text": "I-quit ang lahat ng account",.. "tray_signout_button_text": "Mag-sign out",.. "tray_my_status_text": "Ang aking katayuan",.. "tray_get_logs_text": "Makakuha ng ng mga log",.. "tray_get_support_files_text": "Kolektahin ang mga file ng suporta",.. "tray_status_available_text": "Available",.. "tray_status_busy_text": "Abala",.. "tray_status_donotdisturb_text": "Huwag istorbohin",.. "tray_status_away_text": "Umalis",.. "tray_status_berightback_text": "Babalik ako",.. "tray_status_appearaway_text": "Lumabas na umalis",.. "tray_status_resetstatus_text": "I-reset ang katayuan",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-fr-ca.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):28476
                                                                                            Entropy (8bit):4.818036781479407
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:5Zq+WrsxTnEnLF5F4pOuo4n2Sk3YojIxvqr2kam/XQ9S6TvXloJ:5ZpTnCLJ4pOuo4n2Sk3YojIxvqr2kamL
                                                                                            MD5:10155BA84D494F64892F12B1AEC0698F
                                                                                            SHA1:BEBA38479CA371FE2CECF024F461D28E5DFBF452
                                                                                            SHA-256:7DC63B6F69BB3A31F4EEC4C8285A2CBBD37C7F259CCB220C1ACE5DDAECC38849
                                                                                            SHA-512:99EAC6EB041E239C1A8CB42F81FE12F047E3C71B7C65E6C24486278B05BF072D5CEB1CDF6D3B3D5CF098374C7F4EAA7F9F7329AA7978D7A8A66B7D3A165CFC52
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "fr-fr",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "D.marrer automatiquement Teams",.. "tray_do_not_auto_start_button_text": "Ne pas d.marrer automatiquement Teams",.. "tray_exit_button_text": "Quitter",.. "tray_exit_multi_account_button_text": "Quitter tous les comptes",.. "tray_signout_button_text": "Se d.connecter",.. "tray_my_status_text": "Mon statut",.. "tray_get_logs_text": "Obtenir les journaux",.. "tray_get_support_files_text": "Collecter les fichiers de support",.. "tray_status_available_text": "Disponible",.. "tray_status_busy_text": "Occup.",.. "tray_status_donotdisturb_text": "Ne pas d.ranger",.. "tray_status_away_text": "Absent(e)",.. "tray_status_berightback_text": "De retour bient.t",.. "tray_status_appearaway_text": "Appara.tre absent",.. "tray_status_resetstatus_text": "R.initialiser l..tat",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_noti

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-fr-fr.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):28566
                                                                                            Entropy (8bit):4.818528937545654
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:9Zd+WpsR1zE1t6gTTOuo4n2Sk3Ybr7xvqr2kam/Vg9S6T3XtQU:9ZA1z6tZTTOuo4n2Sk3Ybr7xvqr2kamU
                                                                                            MD5:2D938326F38813DB0D863365A0FD0136
                                                                                            SHA1:585D36F1792E989F3E748E3FBA784578AFC3B569
                                                                                            SHA-256:2F90628C4003BFEC7B25E6867C4AF902CAF3F535C545ED7A31AFED5D3A788C45
                                                                                            SHA-512:68680D57362F5ADC485CD3382AC8314BC92F9A64772DF33BEEB8CE47FFB21AED9286983E0D9A7C2DB104D29A94B0E02DC74D8300EB57269E2FCE188705BDFDD5
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "fr-fr",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "D.marrer automatiquement Teams",.. "tray_do_not_auto_start_button_text": "Ne pas d.marrer automatiquement Teams",.. "tray_exit_button_text": "Quitter",.. "tray_exit_multi_account_button_text": "Quitter tous les comptes",.. "tray_signout_button_text": "Se d.connecter",.. "tray_my_status_text": "Mon statut",.. "tray_get_logs_text": "Obtenir les journaux",.. "tray_get_support_files_text": "Collecter les fichiers de support",.. "tray_status_available_text": "Disponible",.. "tray_status_busy_text": "Occup.",.. "tray_status_donotdisturb_text": "Ne pas d.ranger",.. "tray_status_away_text": "Absent(e)",.. "tray_status_berightback_text": "De retour bient.t",.. "tray_status_appearaway_text": "Appara.tre absent",.. "tray_status_resetstatus_text": "R.initialiser le statut",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_noti

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-gl-es.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):26935
                                                                                            Entropy (8bit):4.7403369764793855
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:UZGH2OIsmGrFiU8W2L0SO4S9r0HCliFrgLleoTxQj49mv26UKSPH:UZGWRU8Ww0SO4S9r0HCliFrgLleoTxQi
                                                                                            MD5:1D5F1C29A21E61D99F470E6F46D27D9C
                                                                                            SHA1:F94537D05CE58B17EBEBD07013D50461439FE5E0
                                                                                            SHA-256:C1ABC0DA2DF38094209F5194344B7CE288ED05E4469AB1F9916E676DE19C3914
                                                                                            SHA-512:C4C3323D673B24ED71D909B737B7F43DC9EBBBD6B38287A6021459251BA4A330AA2E835958EC1F915AF41A2C511B0918EDF7EC130B3A762F389F87AC7E0F8A4A
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "gl-es",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Iniciar Teams automaticamente",.. "tray_do_not_auto_start_button_text": "Non iniciar Teams automaticamente",.. "tray_exit_button_text": "Sa.r",.. "tray_exit_multi_account_button_text": "Sa.r de todas as contas",.. "tray_signout_button_text": "Pechar sesi.n",.. "tray_my_status_text": "O meu estado",.. "tray_get_logs_text": "Obter rexistros",.. "tray_get_support_files_text": "Recompilar ficheiros de compatibilidade",.. "tray_status_available_text": "Dispo.ible",.. "tray_status_busy_text": "Ocupado",.. "tray_status_donotdisturb_text": "Non molestar",.. "tray_status_away_text": "Ausente",.. "tray_status_berightback_text": "Volvo agora",.. "tray_status_appearaway_text": "Aparece ausente",.. "tray_status_resetstatus_text": "Restablecer estado",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Mic

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-he-il.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):29327
                                                                                            Entropy (8bit):5.010882377482622
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:lZNXes7p+sjknBwu7OGhFMoMWj9zSYF4fxYZv7PfAyS9Rd1IJq:lZ9eSBknfyGhFMoMWj9zSYF4fxYZv7Po
                                                                                            MD5:D1C850243748060895826396403BD7BA
                                                                                            SHA1:6F164C5BD92A193C6814C432FC7ECAF7A4BB2970
                                                                                            SHA-256:C7FE38474E0B9CF8F5BBE143A0C6A7B63B462868D6E2A05420F05CDBACA812C5
                                                                                            SHA-512:0E712B5006C0B556C4E62C4FC3435E7C0C514F3E1E83F8E8E1ABED42608D8657DD92ACAC12623CCC8B50E2CBD0F7540EAE6894B739E25B046500B1C8989661A7
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "he-il",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": ".... .. Teams ..... .......",.. "tray_do_not_auto_start_button_text": ".. ..... .. Teams ..... .......",.. "tray_exit_button_text": ".....",.. "tray_exit_multi_account_button_text": ".. ... ........",.. "tray_signout_button_text": ".....",.. "tray_my_status_text": ".... ...",.. "tray_get_logs_text": "... ..... .....",.. "tray_get_support_files_text": ".... .... .....",.. "tray_status_available_text": "....",.. "tray_status_busy_text": "....",.. "tray_status_donotdisturb_text": ".. .. ......",.. "tray_status_away_text": ".. ....",.. "tray_status_berightback_text": "... ....",.. "tray_status_appearaway_text": "..... ... ....",.. "tray_status_resetstatus_text": "..... ...",.. "tray_notification_ti

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-hi-in.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):42204
                                                                                            Entropy (8bit):4.875073356102878
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:CZ1p0sMsQXG0HhecOpTCXk+NTOr4Ng9kw+64QSWs5MzpN6bBnzbFX9uZ1M6SQ:CZ17cXG0HhecOpTT+NTOr4Ng9kw+64Qh
                                                                                            MD5:5B48CAA5D74BBDD34E7A6215E15BB330
                                                                                            SHA1:150306DD6EE7C003876853AB83EEAF92D6071E86
                                                                                            SHA-256:1452EEB850858E8582D0C3BAAF24A4A16A21A1553D2BF9F004B01BE5FE636044
                                                                                            SHA-512:0594E3A976D7D5483D32C79053BCE769ABBBC77365290BB1A33E3A866F2B2D194B574CAB36C63B7A47114EC60A00D5DEBAC414EA18DD24D8A82DC44C319A51EF
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "hi-in",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Teams .. ..... .... ....",.. "tray_do_not_auto_start_button_text": "Teams .. ..... .... . ....",.. "tray_exit_button_text": ".... ......",.. "tray_exit_multi_account_button_text": "... ..... .. .... ......",.. "tray_signout_button_text": ".... ... ....",.. "tray_my_status_text": ".... ......",.. "tray_get_logs_text": "... ....... ....",.. "tray_get_support_files_text": "...... ....... ........ ....",.. "tray_status_available_text": "......",.. "tray_status_busy_text": "......",.. "tray_status_donotdisturb_text": "...... . ....",.. "tray_status_away_text": "....

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-hr-hr.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):26995
                                                                                            Entropy (8bit):4.8490653489348565
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:rZS3ljswzFNDp8RVO95cm3EsOm4tRNHNBuTnOowTuI94p6ex:rZS5T2G95cm3EsOm4tRNHNBuTnOowaIO
                                                                                            MD5:AC0E047D63D0FD9A0409D55A9FD2098F
                                                                                            SHA1:F473460AFFE9E79828A68576B9D3E1F2464E8BAC
                                                                                            SHA-256:F08ED7227EBDF33ACFC1ED439E03B35537691178594D5536D953445E53AB634C
                                                                                            SHA-512:335715CC7A250DE4D24CB0E871C05E0127F5208631753E1BC3F7AF78C9F103D7FB9A78BF2FC8637CB3DDC41B56047DA5F391481969544B8BD2F0B9D400DA1171
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "hr",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Automatski pokre.i Teams",.. "tray_do_not_auto_start_button_text": "Nemoj automatski pokretati Teams",.. "tray_exit_button_text": "Zatvori",.. "tray_exit_multi_account_button_text": "Iza.i iz svih ra.una",.. "tray_signout_button_text": "Odjava",.. "tray_my_status_text": "Moj status",.. "tray_get_logs_text": "Dohvatite zapisnike",.. "tray_get_support_files_text": "Prikupljanje datoteka za podr.ku",.. "tray_status_available_text": "Dostupan",.. "tray_status_busy_text": "Zauzet",.. "tray_status_donotdisturb_text": "Ne ometaj",.. "tray_status_away_text": "Nisam tu",.. "tray_status_berightback_text": "Vra.am se odmah",.. "tray_status_appearaway_text": "Naizgled odsutan",.. "tray_status_resetstatus_text": "Vrati izvorni status",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams jo.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-hu-hu.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):28114
                                                                                            Entropy (8bit):5.014739428347315
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:kDZC54eQ6sgls//fJzXCiZLcl5K6gVJQfcJm5cE8IQyJkmwYKhiEMrnx606:kDZ862uJz/++6gVJQfcJm5cE8IQyJkmE
                                                                                            MD5:7159F88309F214722BDC9CDC7B518CCF
                                                                                            SHA1:D70264789F8B4BAE31B5DE2FE7A3CA8236AD06D8
                                                                                            SHA-256:7DFE67C9FD5B6853FE820F6AB4E9D89364AD08401B5AA46E90B7AF69C64A3148
                                                                                            SHA-512:94FA8B950C228E34B5DF11E7FE839D3C5F9CD7B16C5303F5EE60DB5694D7E2AD57140FB599337DD9C68C010AD448AE40DA67FA351A5BD844298D73536DE6C6C9
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "hu-hu",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "A Teams automatikus ind.t.sa",.. "tray_do_not_auto_start_button_text": "Ne induljon el automatikusan a Teams",.. "tray_exit_button_text": "Kil.p.s",.. "tray_exit_multi_account_button_text": "Kil.p.s az .sszes fi.kb.l",.. "tray_signout_button_text": "Kijelentkez.s",.. "tray_my_status_text": "Saj.t .llapot",.. "tray_get_logs_text": "Napl.k lek.r.se",.. "tray_get_support_files_text": "T.mogat.si f.jlok .sszegy.jt.se",.. "tray_status_available_text": "El.rhet.",.. "tray_status_busy_text": "Elfoglalt",.. "tray_status_donotdisturb_text": "Ne zavarjanak",.. "tray_status_away_text": "T.vol",.. "tray_status_berightback_text": "R.gt.n j.v.k",.. "tray_status_appearaway_text": "L.tsz.lag t.vol",.. "tray_status_resetstatus_text": ".llapot alaphelyzetbe .ll.t.sa",.. "tray_notification_title_text": "Microsoft Teams",.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-id-id.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):26338
                                                                                            Entropy (8bit):4.7229321298975275
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:QZWE5mSsqhxi+C9ETH2iY4UuHuERIlhFSDlDKbh9BVN4i/JJe80:QZDlwpETH2iY4UuHuERIlhFSDlDKbh9C
                                                                                            MD5:D1489D76CBADCA73363D1969F591C289
                                                                                            SHA1:39FE0B1CB53315963DADEAA6907FFD30F306225E
                                                                                            SHA-256:D9D09726958933B7893B0BDF73C8C13B16EB6ADB59FEEE4DF0EF08A35AE3CA24
                                                                                            SHA-512:C19D42C1B3DDFB0108651C786FF74FC8F7C2BB3CE52FFC156FC518676D10F2EF435AB78DFB3F15569080703F5B32EA08E41D253819D0D03188297B346B88646B
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "id-id",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Mulai Teams secara otomatis",.. "tray_do_not_auto_start_button_text": "Jangan mulai Teams secara otomatis",.. "tray_exit_button_text": "Tutup",.. "tray_exit_multi_account_button_text": "Keluar dari semua akun",.. "tray_signout_button_text": "Keluar",.. "tray_my_status_text": "Status saya",.. "tray_get_logs_text": "Dapatkan log",.. "tray_get_support_files_text": "Kumpulkan file dukungan",.. "tray_status_available_text": "Online",.. "tray_status_busy_text": "Sibuk",.. "tray_status_donotdisturb_text": "Jangan ganggu",.. "tray_status_away_text": "Tidak di tempat",.. "tray_status_berightback_text": "Segera kembali",.. "tray_status_appearaway_text": "Terlihat tidak di tempat",.. "tray_status_resetstatus_text": "Atur ulang status",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams masih

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-is-is.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):26861
                                                                                            Entropy (8bit):4.943809278037923
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:ZZTf2sjXsu2qtOaLGNaBUyZfiGtSTyGFjhmQS+sAK9u9ur:ZZtX5LGNaBUyZfiGtSTyGFjhmQS+sAKZ
                                                                                            MD5:C7B45479717557FEFE653090BA1B0556
                                                                                            SHA1:14AA4B6689EEB84D51900731A262D831AFC852CF
                                                                                            SHA-256:60A3C70A2A613A9C650234D040076B709AF21294E1A9DD919388FA86CAC0E688
                                                                                            SHA-512:CAEF6AC614E35D77895FEFC1729E5B8EBE4B6848D414F0BC37CD8744DD4C1188BC139141A8B57D660AE41D197A361A42EBB95E0EC5DB6FAABBA203DF5EB52256
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "is-is",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Sj.lfvirk opnun Teams",.. "tray_do_not_auto_start_button_text": "Ekki opna Teams sj.lfvirkt",.. "tray_exit_button_text": "H.tta",.. "tray_exit_multi_account_button_text": "Loka .llum reikningum",.. "tray_signout_button_text": "Skr. .t",.. "tray_my_status_text": "M.n sta.a",.. "tray_get_logs_text": "S.kja ann.la",.. "tray_get_support_files_text": "Safna stu.ningsskr.m",.. "tray_status_available_text": "Laus",.. "tray_status_busy_text": "Upptekin(n)",.. "tray_status_donotdisturb_text": ".n..i. ekki",.. "tray_status_away_text": "Fjarverandi",.. "tray_status_berightback_text": "Skrapp fr.",.. "tray_status_appearaway_text": "Vir.ast fjarverandi",.. "tray_status_resetstatus_text": "Endurstilla st..u",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams er enn . gangi

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-it-it.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27109
                                                                                            Entropy (8bit):4.694641435688118
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:cZG8+MBs8+43p3Lo46bzuLb/3izPQa3JOWuUWwO5lZ+qBESgrm0lC:cZG82453LdYzuLb/3izPQa3JOWuUWwOp
                                                                                            MD5:6C6DAAE93C410B55651706F589991824
                                                                                            SHA1:ACA9FCF9D4D11C43C9DAA37F13354BA9C5CAC6F3
                                                                                            SHA-256:A798A3E6BB6A1735FA44B6ED3B64F66836888E37430929CBDBA6904E11326C62
                                                                                            SHA-512:0AFDD69319AFC376399F014A2E78C553C56122536B15F48EE80AA63B07AB58A086CEE879534AC9A896A77858EC66A9105D2B049A1FD30727BF5FB237C7708741
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "it-it",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Avvia automaticamente Teams",.. "tray_do_not_auto_start_button_text": "Non avviare automaticamente Teams",.. "tray_exit_button_text": "Esci",.. "tray_exit_multi_account_button_text": "Esci da tutti gli account",.. "tray_signout_button_text": "Disconnetti",.. "tray_my_status_text": "Stato personale",.. "tray_get_logs_text": "Ottieni log",.. "tray_get_support_files_text": "Raccogli file di supporto",.. "tray_status_available_text": "Disponibile",.. "tray_status_busy_text": "Non disponibile",.. "tray_status_donotdisturb_text": "Non disturbare",.. "tray_status_away_text": "Assente",.. "tray_status_berightback_text": "Torno subito",.. "tray_status_appearaway_text": "Risulta assente",.. "tray_status_resetstatus_text": "Reimposta stato",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-ja-jp.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):30020
                                                                                            Entropy (8bit):5.685423447037384
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:IxZX2J5xuOcs8Ve9MKAQRTw7FRW/dAVcmuewqOAsCuA7u6iOw7LNcZ9Djey:IxZmSe9MKAQxEFs/dAVcmuewqL1r7u69
                                                                                            MD5:6B4645A0057AA7A356AB9A08BBACF538
                                                                                            SHA1:45433D712402F2B09854F53E32643333585F049F
                                                                                            SHA-256:42AEEFC1300E289DE8B7D012B8D478E491242E29D9E1BB9EA36F0BDB9005F165
                                                                                            SHA-512:6A4E3A29FAECDA8BAEC3A22C06E100D81BE24796B58A7F7A020A2A8E91E8A9229142F162F4B423A41B6F31D0A644B1C123AE4F9169DC484BACB6C363203875B2
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "ja-jp",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Teams .........",.. "tray_do_not_auto_start_button_text": "Teams ..........",.. "tray_exit_button_text": "..",.. "tray_exit_multi_account_button_text": "..............",.. "tray_signout_button_text": "......",.. "tray_my_status_text": "..",.. "tray_get_logs_text": ".....",.. "tray_get_support_files_text": ".... .......",.. "tray_status_available_text": "....",.. "tray_status_busy_text": ".....",.. "tray_status_donotdisturb_text": "....",.. "tray_status_away_text": "...",.. "tray_status_berightback_text": ".....",.. "tray_status_appearaway_text": ".....",.. "tray_status_resetstatus_text": ".......",.. "tray_notification_title_text": "Microsoft Teams",.. "

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-ka-ge.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):43731
                                                                                            Entropy (8bit):4.652358119604537
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:0ZdeIa8jYZzZFBsnf3Sdyl79gnv6eCWDXIhnJ09q8C1qYiG3hg+hLDHKumrHwPyF:0Zdw23Sv+WDi78CUYlpLDHKumrHwPDDO
                                                                                            MD5:FB7FE33ACFDCF4B9D0999821280342F8
                                                                                            SHA1:17B68D2816E5C191CA27C7E1D9406A9A6DF92E6C
                                                                                            SHA-256:9A09D93C24D6FBBDFF001879D950F63178CACCBAE04C834B665EE1FCACACD1CA
                                                                                            SHA-512:69DFA47303F7AB024B968E7958A72343FB6E8CC889BE9BA6B6134BEBA31BB27743831601CF8468AA9A6889CD07A1D038F019E26514F0A4BE92FB5A82A5F8BEE9
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "ka",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Teams-.. .......... .......",.. "tray_do_not_auto_start_button_text": "Teams-.. .......... ........ ........",.. "tray_exit_button_text": ".......",.. "tray_exit_multi_account_button_text": "..... ........... ......",.. "tray_signout_button_text": "......",.. "tray_my_status_text": ".... .......",.. "tray_get_logs_text": ".......... ......",.. "tray_get_support_files_text": "........... ........ .........",.. "tray_status_available_text": ".............",.. "tray_status_busy_text": "..........",.. "tray_status_donotdisturb_text": ".. .

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-kk-kz.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):35916
                                                                                            Entropy (8bit):5.288866391198977
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:gwSZ2IHX/39PeqiNsccesxa0N4Bjd7Bxtrupgp0jUIxPp5ben/x/9RoPOIJ3g:gwSZ2IH/poncesFNSjd7Bxtrupgp0jUv
                                                                                            MD5:D8A9E38BA2F232308AAD79301B63D011
                                                                                            SHA1:045D784B4EC810C540C982892C427019C2663E0C
                                                                                            SHA-256:00E930EFB5AB7F32F95A445B9E1525E1CF0A5C462D31220117018EA260D92992
                                                                                            SHA-512:B45F277C6D057A463F067557F528441752BE7CD02CD94560CD6670B14228A9A230105674C56DA8F99AA3FA548901EA5BCB3A346442ABA914C22C613895B9E664
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "kk-kz",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Teams ............. ......... ..... .... ....",.. "tray_do_not_auto_start_button_text": "Teams ............. ......... ..... .... ......",.. "tray_exit_button_text": "....",.. "tray_exit_multi_account_button_text": "...... .............. ....",.. "tray_signout_button_text": "....",.. "tray_my_status_text": "..... .....",.. "tray_get_logs_text": "......... ...",.. "tray_get_support_files_text": "...... ....... ......... .....",.. "tray_status_available_text": "..........",.. "tray_status_busy_text": "... ....",.. "tray_status_donotdisturb_text": "...........",.. "tray_status_away_text": "....... ...",.. "tray_status_berightback_text": "....... .....

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-ko-kr.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27436
                                                                                            Entropy (8bit):5.664107669069475
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:HGZmUiMIgzsqLeCuWBOScNBvD9Po5Ew3tXrIKU7X+o5My957lV:mZPi0eCu/NBvD9Po5Ew3tXrIKU7X+o5J
                                                                                            MD5:91B3D130AC9CFE2ABDD2C8D984468B29
                                                                                            SHA1:41F49B78D4DD9D5DDCC34CD695CDF23CB699A34B
                                                                                            SHA-256:BA590E7F5FCB2E239DA5C3AAE07255A87808E991893D74D392F6E7DB50B435C7
                                                                                            SHA-512:C804FF23A683086F06A706C651A870175B48EA5FE8C567FFC139CAC79FDCBF1402E7F45C88BFE64D00BE9B1DCA38A56977730C60F2BB80A72168A6A2992F497F
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "ko-kr",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Teams .. ..",.. "tray_do_not_auto_start_button_text": "Teams .. .. . .",.. "tray_exit_button_text": "..",.. "tray_exit_multi_account_button_text": ".. .. ..",.. "tray_signout_button_text": "....",.. "tray_my_status_text": ". ..",.. "tray_get_logs_text": ".. ....",.. "tray_get_support_files_text": ".. .. ..",.. "tray_status_available_text": ".. ..",.. "tray_status_busy_text": ".. .. .",.. "tray_status_donotdisturb_text": ".. ..",.. "tray_status_away_text": ".. ..",.. "tray_status_berightback_text": ". ....",.. "tray_status_appearaway_text": ".. .... ..",.. "tray_status_resetstatus_text": ".. ...",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsof

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-lt-lt.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27673
                                                                                            Entropy (8bit):4.953809620378946
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:RZuRMjjssKr2CSejTAI1qZUKMqznutZ3cllFtXSJ+WICCtX9lvkIhtHH+VS:RZwfr2rFUKMqznutZ3cllFtXSJ+WICCV
                                                                                            MD5:9FE1ADEC5781DBFB9F4DC91F33E5D34F
                                                                                            SHA1:A9E7C87BB5F2AA0D10925EFE7B10771AE024A3ED
                                                                                            SHA-256:B829D98D94498A282B4304639321F4BAF494C7AD4EF71C39BE3C02AB2F4EDAD7
                                                                                            SHA-512:8642DEFCE220C781B28FF6564935032E621C9BCFE498760C216EB67FC8928E5184EAB93C323D2C9CE7919384D6507BA2D611B90D9E37BE6CD4B821E0C387CB7F
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "lt-lt",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Paleisti .Teams. automati.kai",.. "tray_do_not_auto_start_button_text": "Nepaleisti .Teams. automati.kai",.. "tray_exit_button_text": "I.eiti",.. "tray_exit_multi_account_button_text": "I.eiti i. vis. paskyr.",.. "tray_signout_button_text": "Atsijungti",.. "tray_my_status_text": "Mano b.sena",.. "tray_get_logs_text": "Gauti .urnalus",.. "tray_get_support_files_text": "Rinkti palaikymo failus",.. "tray_status_available_text": "Pasiekiamas",.. "tray_status_busy_text": "U.si.m.s",.. "tray_status_donotdisturb_text": "Netrukdyti",.. "tray_status_away_text": "Atsitrauk.s",.. "tray_status_berightback_text": "Netrukus gr..iu",.. "tray_status_appearaway_text": "Rodyti kaip atsitraukus.",.. "tray_status_resetstatus_text": "Gr..inti b.sen.",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_con

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-lv-lv.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27612
                                                                                            Entropy (8bit):4.940692212013693
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:NZNoITcsv7aw4IyussQh5Ifj8uNS44yQGZXErKNYeqN/Jjo8e1LAj8ejWVf:NZ0IgJ5INS44yQGZXErUT0/Jjo8e1LAM
                                                                                            MD5:A61A6CC72B63AA9E4B57559503920A43
                                                                                            SHA1:A051077ACAA51C0B164AB488811BFC6BCA531824
                                                                                            SHA-256:D86780FAFF15F149BE0C8C6ED8166C1AC86D0CBAFA3882DC40D853409995F993
                                                                                            SHA-512:89FF37B7FC8A5A9974D4C6D90BB43D85FF8924B66EB2ED62222C98890DECF90FEACEC097C0B4EA57A4050F2E71E9240BB95012A139C7E39E01DCF9956302DB9A
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "lv-lv",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Autom.tiski start.t Teams",.. "tray_do_not_auto_start_button_text": "Nestart.t Teams autom.tiski",.. "tray_exit_button_text": "Iziet",.. "tray_exit_multi_account_button_text": "Iziet no visiem kontiem",.. "tray_signout_button_text": "Izrakst.ties",.. "tray_my_status_text": "Mans statuss",.. "tray_get_logs_text": "Ieg.t .urn.lus",.. "tray_get_support_files_text": "Apkopot atbalsta failus",.. "tray_status_available_text": "Pieejams",.. "tray_status_busy_text": "Aiz.emts",.. "tray_status_donotdisturb_text": "Netrauc.t",.. "tray_status_away_text": "Promb.tn.",.. "tray_status_berightback_text": "T.l.t atgriez.sies",.. "tray_status_appearaway_text": "Redzams k. promb.tn.",.. "tray_status_resetstatus_text": "Atiestat.t statusu",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Micro

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-mk-mk.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):35084
                                                                                            Entropy (8bit):5.084595367030588
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:XZgMdNjd8LsWAVlOSRbbOwRp8wDAWzNuphJDqKMDLt3GY79WgcbL1H9:XZgMdpd+AVlOSdpRp8wDAWzNuphJDqKn
                                                                                            MD5:7E3B1D18BBB4F21776FB2CE2BABB8A59
                                                                                            SHA1:BBD34878554F81E28390557DD0849A22AFDE0842
                                                                                            SHA-256:92F531529D614DDA3741B993334568C9D82ABAB46F03C65CCE023D5D0BA4100D
                                                                                            SHA-512:52DE6558144DE3ACF42FC41E7734155B84E2F32C74A2ABEFB57E5DA4163A853C635B84672E2B997F957C39844B2BCBC64454A0A35883CD2833F93F9FA4B74272
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "mk-mk",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": ".......... .......... .. Teams",.. "tray_do_not_auto_start_button_text": ".. .. ......... Teams ..........",.. "tray_exit_button_text": ".......",.. "tray_exit_multi_account_button_text": "...... .. .... ......",.. "tray_signout_button_text": "...... ..",.. "tray_my_status_text": "... ......",.. "tray_get_logs_text": ".... .. ..........",.. "tray_get_support_files_text": "........ ........ .. ........",.. "tray_status_available_text": "........",.. "tray_status_busy_text": ".......",.. "tray_status_donotdisturb_text": ".. ............",.. "tray_status_away_text": ".. ... ....",.. "tray_status_berightback_text": "...... .. ......",.. "tray_status_appearaway_text": ".

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-nb-no.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):25707
                                                                                            Entropy (8bit):4.7820352338850505
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:vZ4FFRSisaXJFZV0JE2wKeonIEBNZ0pObUp7f8zoickjjgjKhvj70:vZ8JJ2wKeonIEBNZaQ67f8zoickjjgjl
                                                                                            MD5:4F3851F743A9B0E21A6A1A4702FAF9C3
                                                                                            SHA1:4F7CA5E04430EDF9B5BD672E55927A75CA0FFA9A
                                                                                            SHA-256:E1318227A0E25F9A1B5843C9B13033C2A1DBD70CB42D99DFDC658048EDE2662B
                                                                                            SHA-512:B8C8E700BD0E1468A873DFC8CF9742E3CC27173F3DB74776F9562E4A5CE65DAEDDDF3CDE7C876726734FB91A2FAEBE66C54F4D17B0FAB05C91B6BD5F34142F9E
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "nb-no",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Start Teams automatisk",.. "tray_do_not_auto_start_button_text": "Ikke start Teams automatisk",.. "tray_exit_button_text": "Avslutt",.. "tray_exit_multi_account_button_text": "Avslutt alle kontoer",.. "tray_signout_button_text": "Logg av",.. "tray_my_status_text": "Min status",.. "tray_get_logs_text": "Hent logger",.. "tray_get_support_files_text": "Samle st.ttefiler",.. "tray_status_available_text": "Tilgjengelig",.. "tray_status_busy_text": "Opptatt",.. "tray_status_donotdisturb_text": "Ikke forstyrr",.. "tray_status_away_text": "Borte",.. "tray_status_berightback_text": "Straks tilbake",.. "tray_status_appearaway_text": "Vis som borte",.. "tray_status_resetstatus_text": "Tilbakestill status",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams kj.rer fortsatt, og du vil fortsa

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-nl-nl.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):26860
                                                                                            Entropy (8bit):4.7038287170841
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:NYZGRg+mQs1b1N/ZIXV0qTIG/eDABukB4hIsz2sqAMYIt9N1R5p:NYZEgJb1NxIBTIG/eDABukB4hIsz2sq9
                                                                                            MD5:04854EF2F630C632E3D895503D9B31F5
                                                                                            SHA1:164F410D8A213EFAEFE0903EA810E86458E984F8
                                                                                            SHA-256:44A61E050A28F9E6C002671C12324D69331CF04884823965E764FF9B26F4624C
                                                                                            SHA-512:3BBCCF98E6F1BEADC1388DA6717F362A518971DC14F819FE073EC6C967ACCD5B8B0875268C7636E0AF238609529398A6478716C1EFB0213F5B5D5CAA6E995419
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "nl-nl",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Teams automatisch starten",.. "tray_do_not_auto_start_button_text": "Teams niet automatisch starten",.. "tray_exit_button_text": "Afsluiten",.. "tray_exit_multi_account_button_text": "Alle accounts sluiten",.. "tray_signout_button_text": "Afmelden",.. "tray_my_status_text": "Mijn status",.. "tray_get_logs_text": "Logboeken ophalen",.. "tray_get_support_files_text": "Ondersteuningsbestanden verzamelen",.. "tray_status_available_text": "Beschikbaar",.. "tray_status_busy_text": "Bezig",.. "tray_status_donotdisturb_text": "Niet storen",.. "tray_status_away_text": "Afwezig",.. "tray_status_berightback_text": "Zo terug",.. "tray_status_appearaway_text": "Als afwezig weergeven",.. "tray_status_resetstatus_text": "Status opnieuw instellen",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Tea

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-nn-no.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):25823
                                                                                            Entropy (8bit):4.7840703365190596
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:TZgSJfI5sYoebIaSc2Om8yonIEBNZ62YKa2lo8zGcyYjU1jL9vfxEJ:TZgQjebbBm8yonIEBNZBnhlo8zGcyYjt
                                                                                            MD5:C5489C5024652F403B9BA24629BC1399
                                                                                            SHA1:92F8AEE3096A59629C0376011CEBA2840A59A6A9
                                                                                            SHA-256:32BCC07D1D708CED6FD6F3B15AC7DB91B7201C2D32DDA48F1BC7E91B1FAD3ECD
                                                                                            SHA-512:12DB6F0ED23C7B213390C61944656BF97125988BEB5BA2CB69A180B9EE70104146BFA8A1FEC57C89347F8730F5A0884510664C0922B2CC9AFFC23193BF4281C1
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "nn-no",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Start Microsoft Teams automatisk",.. "tray_do_not_auto_start_button_text": "Ikkje start Microsoft Teams automatisk",.. "tray_exit_button_text": "Avslutt",.. "tray_exit_multi_account_button_text": "Avslutt alle kontoar",.. "tray_signout_button_text": "Logg av",.. "tray_my_status_text": "Min status",.. "tray_get_logs_text": "Hent loggar",.. "tray_get_support_files_text": "Samle inn filer fr. kundest.tte",.. "tray_status_available_text": "Tilgjengeleg",.. "tray_status_busy_text": "Oppteken",.. "tray_status_donotdisturb_text": "Ikkje forstyrr",.. "tray_status_away_text": "Borte",.. "tray_status_berightback_text": "Snart tilbake",.. "tray_status_appearaway_text": "Vis som borte",.. "tray_status_resetstatus_text": "Still tilbake status",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Te

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-pl-pl.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27897
                                                                                            Entropy (8bit):4.972382989400186
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:2ZpI+sXSjTqdOy1oHPiPZBvr4Z5rZApAhLzAQjSQZ28bzXT:2ZljTBy1oHPiPZBvr4Z5rZApAhLzAQj7
                                                                                            MD5:530E291A08049D4953E6CA0CB0340075
                                                                                            SHA1:99740B66EF86831541505A23701E2C011200CC25
                                                                                            SHA-256:6B0B6539B079D76AAA0812BA6E4E3D2F00BFE45046AAC51D4E58F17ED6E3FFD5
                                                                                            SHA-512:1C967AEB4989D42C6755FFB187C05C9D3E99D329AE930174C4E5584B4D800E3B6D9F1A68A448FAE481BBDABA81E2C069924F9DCD0250A8FA7728850E78708EAA
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "pl-pl",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Uruchom automatycznie aplikacj. Teams",.. "tray_do_not_auto_start_button_text": "Nie uruchamiaj automatycznie aplikacji Teams",.. "tray_exit_button_text": "Zako.cz",.. "tray_exit_multi_account_button_text": "Zamknij wszystkie konta",.. "tray_signout_button_text": "Wyloguj si.",.. "tray_my_status_text": "M.j status",.. "tray_get_logs_text": "Pobierz dzienniki",.. "tray_get_support_files_text": "Zbierz pliki pomocy technicznej",.. "tray_status_available_text": "Dost.pny",.. "tray_status_busy_text": "Zaj.ty",.. "tray_status_donotdisturb_text": "Nie przeszkadza.",.. "tray_status_away_text": "Z dala od urz.dzenia",.. "tray_status_berightback_text": "Zaraz wracam",.. "tray_status_appearaway_text": "Wy.wietlaj jako Z dala od komputera",.. "tray_status_resetstatus_text": "Resetuj status",.. "tray_notification_title_text": "Microsoft Tea

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-pseudo.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):35541
                                                                                            Entropy (8bit):5.446397053355783
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:SJYvECvbn43DvXwzll7REnDPsPxyfltCnZJcT0GNYA9wXVHPPi2+st13JV+kb:SJYvEg+vXGSDPVfltCnZJcT0G2A9wXVN
                                                                                            MD5:304805B0FC9B67CDD2362EA8153B78BF
                                                                                            SHA1:9207AE0ABD42C3CB560F53F963A13E5B31A02DB9
                                                                                            SHA-256:49D1346381A4F976321B335A1235A3B3A38DCCE39A6BAB2FF61715FCE24C0F4D
                                                                                            SHA-512:521C40023760A9B65B2C62A6679895D396AB204C8D0EFE8AA310F74EEEC4332DCBD254F489F9B3B8DDF1E8F8E400E4686BE921734168276936A23BE682CAA563
                                                                                            Malicious:false
                                                                                            Preview:{. "locale": "pseudo",. "strings": {. "ellipsis_text": "[!!...!!]",. "tray_auto_start_button_text": "[!!....-..... ...m. !!]",. "tray_do_not_auto_start_button_text": "[!!.. ... ....-..... ...m. !!]",. "tray_exit_button_text": "[!!.... !!]",. "tray_exit_multi_account_button_text": "[!!.... ... ........ !!]",. "tray_signout_button_text": "[!!.... ... !!]",. "tray_my_status_text": "[!!M. ...... !!]",. "tray_get_logs_text": "[!!... .... !!]",. "tray_get_support_files_text": "[!!....... ....... ..... !!]",. "tray_status_available_text": "[!!.v....... !!]",. "tray_status_busy_text": "[!!.... !!]",. "tray_status_donotdisturb_text": "[!!.. ... ....... !!]",. "tray_status_away_text": "[!!.... !!]",. "tray_status_berightback_text": "[!!.. ..... .... !!]",. "tray_status_appearaway_text": "[!!...

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-pt-br.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):26707
                                                                                            Entropy (8bit):4.775875623556063
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:zZICW14rsvcxOBNeaICUJKP3A6xGemKyqglJfjJ4v/9LrFsxH:zZICWOxWTICUJKP3A6xGemKyqglJfjJn
                                                                                            MD5:1B9AF28FFC71D790076D467460308E7D
                                                                                            SHA1:500F038DC06DA9002F8360FF914869067FD82723
                                                                                            SHA-256:7A4E7796D7FA0C70DE4BDA3A2BC2FA3A6542981D23795AF35D19599FFA6A74C5
                                                                                            SHA-512:F8CCE87C3046B5518400A1C7B866364C009C7D4C32CEEA3C82AB7ACC6B79CC878A0749D7F1B7D9C235A3248E2FE394B32E1F54A5CEE119B307F5E0D773EEA2A8
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "pt-br",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Iniciar o Teams automaticamente",.. "tray_do_not_auto_start_button_text": "N.o iniciar o Teams automaticamente",.. "tray_exit_button_text": "Encerrar",.. "tray_exit_multi_account_button_text": "Sair de todas as contas",.. "tray_signout_button_text": "Sair",.. "tray_my_status_text": "Meu status",.. "tray_get_logs_text": "Obter logs",.. "tray_get_support_files_text": "Coletar arquivos de suporte",.. "tray_status_available_text": "Dispon.vel",.. "tray_status_busy_text": "Ocupado",.. "tray_status_donotdisturb_text": "N.o incomodar",.. "tray_status_away_text": "Ausente",.. "tray_status_berightback_text": "Volto logo",.. "tray_status_appearaway_text": "Aparecer como ausente",.. "tray_status_resetstatus_text": "Redefinir status",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "O Microsoft Teams ai

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-pt-pt.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27216
                                                                                            Entropy (8bit):4.780531314763251
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:RZb3ZbEmKqGZspYa4Et+sUJLAPQs8cF8XeLxg6L0CpKpvqnDMajq:RZb3xERhatt+sUJLAPQs8cF8XeLxg6Ls
                                                                                            MD5:6BCB2A23BE93DE52DD69E3F55F9858ED
                                                                                            SHA1:223B9F04144E85D833149C858BE0FB8C5546964B
                                                                                            SHA-256:EC30AC84CE43C722BA0FCC1606DE988B9D2B40E779D26E5AD45A263767E76C36
                                                                                            SHA-512:C04C2A15C34A31E53ADA6D1035616C7B742CE5E01F3B034D363C53008CAE95B04E5BEDD1399F8AB1E984A4E8C7881046BDD9BD8EF6B8A4F6C48D3331E23072F7
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "pt-pt",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Iniciar o Teams automaticamente",.. "tray_do_not_auto_start_button_text": "N.o iniciar o Teams automaticamente",.. "tray_exit_button_text": "Sair",.. "tray_exit_multi_account_button_text": "Sair de todas as contas",.. "tray_signout_button_text": "Terminar sess.o",.. "tray_my_status_text": "O meu estado",.. "tray_get_logs_text": "Obter registos",.. "tray_get_support_files_text": "Recolher ficheiros de apoio",.. "tray_status_available_text": "Dispon.vel",.. "tray_status_busy_text": "Ocupado(a)",.. "tray_status_donotdisturb_text": "N.o incomodar",.. "tray_status_away_text": "Ausente",.. "tray_status_berightback_text": "Volto j.",.. "tray_status_appearaway_text": "Aparecer como ausente",.. "tray_status_resetstatus_text": "Repor estado",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "O Micros

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-ro-ro.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):28030
                                                                                            Entropy (8bit):4.855608689226464
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:1Zoe96siUY3ZUK2jKE1HCqeOScN6tVxuVYWM2DDA3tWCnGhFFp:1ZXY3aKE1HCqeOScN6tVxuVYWM2DDytM
                                                                                            MD5:3BBD3BA4B65603E9B84E02E5D4EC5B19
                                                                                            SHA1:C6D7CA18546C8F4E5A379AE549C4B07C7D62F05A
                                                                                            SHA-256:C36E723109840F55036DAE46431C9D158E4C97CBD0161AF49AE6A39F8504E7D9
                                                                                            SHA-512:2581D118A4F5E92689FDDD2A9379BDA459FE598E25AD338ADC48AABF6677C89E03FCF3C23DA71D208BD6313ABC4320A1AD7E7B035E0847C3686A1A34BC8B557F
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "ro-ro",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Porni.i automat Teams",.. "tray_do_not_auto_start_button_text": "Nu porni.i automat Teams",.. "tray_exit_button_text": "P.r.si.i",.. "tray_exit_multi_account_button_text": ".nchide.i toate conturile",.. "tray_signout_button_text": "Deconecta.i-v.",.. "tray_my_status_text": "Starea mea",.. "tray_get_logs_text": "Ob.ine.i jurnale",.. "tray_get_support_files_text": "Colecta.i fi.iere de suport",.. "tray_status_available_text": "Disponibil",.. "tray_status_busy_text": "Ocupat",.. "tray_status_donotdisturb_text": "Nu deranja.i",.. "tray_status_away_text": "Plecat",.. "tray_status_berightback_text": "Revin imediat",.. "tray_status_appearaway_text": "Afi.are ca plecat",.. "tray_status_resetstatus_text": "Reseta.i starea",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-ru-ru.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):35545
                                                                                            Entropy (8bit):5.177022839092741
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:5EZGsQxrEtARsDGOLnY0pJz8v5qO9z3hysUYaZmKyZRPieL+P7J8wCSweaImgYOK:+ZuxUAgLnY0p188O9z3hyfYaZmKyZRP7
                                                                                            MD5:7062BCDF6B85AC2D527810991DAA87C6
                                                                                            SHA1:EFCFEF345DB459DA24743C4902CAE3E5411AD275
                                                                                            SHA-256:760CC6AFD008CE1C067570E2EAE18E04FED9FDEBB3111E3673759CA4099A6885
                                                                                            SHA-512:5FA4F40946437BB744B27F83CCA63A01BC4BB7E4647AF99A6C5743F7A45A13DE18BF63D3D1F42667B7FCCC5D838D2F08A5D5CF8767B446B5EBC71673518800AA
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "ru-ru",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": ".......... Teams",.. "tray_do_not_auto_start_button_text": ".. ......... .......... Teams",.. "tray_exit_button_text": ".......",.. "tray_exit_multi_account_button_text": "..... .. .... ....... .......",.. "tray_signout_button_text": ".....",.. "tray_my_status_text": "... ......",.. "tray_get_logs_text": "....... .......",.. "tray_get_support_files_text": ".... ............... ......",.. "tray_status_available_text": ". ....",.. "tray_status_busy_text": ".....",.. "tray_status_donotdisturb_text": ".. ..........",.. "tray_status_away_text": "... .. .....",.. "tray_status_berightback_text": "..... .......",.. "tray_status_appearaway_text": ".......... ...... \"... ..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-sk-sk.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27794
                                                                                            Entropy (8bit):5.012845129625841
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:XZMEmMAVDmsPT5L+ZHs7gxBaV5dnJ4BXpFawV+oQhAF/lE1YuvjqTCdFY2oMZj0G:XZMEmpDF5aHsgcVCBpFawV+oQhAF/lE1
                                                                                            MD5:AF57E3160EB1588C637D9342B1D4013B
                                                                                            SHA1:4C8910441E776C43C20575F33B044A99B0327638
                                                                                            SHA-256:C4A20E4BC69896C948DF9AA79AD1AF158CA05CA000F8AE78811B240A843FF246
                                                                                            SHA-512:9208305E1EC960222D5B33B4B2C4DA363B10A49374EC6CA99B1CDE0F598E95B1B54ABF6B0494745E515F4B7E0F80F5F9A0055D8C82DA6E94147015EA1073F649
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "sk-sk",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Automaticky sp...a. Teams",.. "tray_do_not_auto_start_button_text": "Nesp...a. Teams automaticky",.. "tray_exit_button_text": "Ukon.i.",.. "tray_exit_multi_account_button_text": "Ukon.i. v.etky kont.",.. "tray_signout_button_text": "Odhl.si. sa",.. "tray_my_status_text": "M.j stav",.. "tray_get_logs_text": "Z.ska. denn.ky",.. "tray_get_support_files_text": "Zhroma.di. podporn. s.bory",.. "tray_status_available_text": "K dispoz.cii",.. "tray_status_busy_text": "Nem.m .as",.. "tray_status_donotdisturb_text": "Neru.i.",.. "tray_status_away_text": "Som pre.",.. "tray_status_berightback_text": "Hne. sa vr.tim",.. "tray_status_appearaway_text": "Zobrazi. stav Som pre.",.. "tray_status_resetstatus_text": "Resetova. stav",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-sl-si.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27084
                                                                                            Entropy (8bit):4.838059833496335
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:i3ZJ0P6sLYraVCxqtlI/VxYS0fd5uS1iVf/n63/HOL8bNLHeIlN9dH:KZA2aCVVxYS0fd5uS1iVf/n63/Hk8bNX
                                                                                            MD5:5F2F55FA835DBBE5612449CCC66AD552
                                                                                            SHA1:0E41103A3DC24B854B3CFCBB79A6C547FC360E23
                                                                                            SHA-256:B4EDFA3661ACB661C161D0F91E1AF467DF275768261E6B3134EE78D84B988E34
                                                                                            SHA-512:6BDBE77F7E1B7D4D3C482A487DF55A662CE9A202C272E5C2B902D03E2539AF15AB165D12D18B775C5A26384B433947F0E2496CF5E46C3554180573D510342217
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "sl-si",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Samodejno za.eni aplikacijo Teams",.. "tray_do_not_auto_start_button_text": "Ne za.eni samodejno aplikacije Teams",.. "tray_exit_button_text": "Zapri",.. "tray_exit_multi_account_button_text": "Zapri vse ra.une",.. "tray_signout_button_text": "Izpis",.. "tray_my_status_text": "Moje stanje",.. "tray_get_logs_text": "Prenos dnevnikov",.. "tray_get_support_files_text": "Zberi datoteke za podporo",.. "tray_status_available_text": "Dosegljiv/-a",.. "tray_status_busy_text": "Zaseden/-a",.. "tray_status_donotdisturb_text": "Ne motite",.. "tray_status_away_text": "Nisem prisoten/-na",.. "tray_status_berightback_text": "Takoj bom nazaj",.. "tray_status_appearaway_text": "Navidez nedosegljiv/-a",.. "tray_status_resetstatus_text": "Ponastavi stanje",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Mic

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-sq-al.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27269
                                                                                            Entropy (8bit):4.8566031747099245
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:eZopAOOsueD81zOXxLUWD4sSd0cmUk0FyMISIO2OJo9a0PgSB7ROSO:eZoHAzUxLUWD4sSd0cmUk0FyMISIO2O/
                                                                                            MD5:1335929DAAFE885A1993EC6DD325FD21
                                                                                            SHA1:FF4D14CDFCEB8E8670C2F2633A7F88B4AA2BEE5B
                                                                                            SHA-256:4E7854BF9F447ADB090C27BC59021C95D7AF289AF6B12EDAD2078464D489AA04
                                                                                            SHA-512:735EC5A9133578498E6CF7637D9727B5A49FE3D84AAE110A51FA7A3FF6D049FBEC9A70C024261D7CF2A55DA26224B957A7BCEA56B494B04379E83361D78F28D0
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "sq-al",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Nis automatikisht Teams",.. "tray_do_not_auto_start_button_text": "Mos e nis automatikisht Teams",.. "tray_exit_button_text": "Dil",.. "tray_exit_multi_account_button_text": "Dil nga t. gjitha llogarit.",.. "tray_signout_button_text": "Dil",.. "tray_my_status_text": "Statusi im",.. "tray_get_logs_text": "Merr evidencat",.. "tray_get_support_files_text": "Mblidh skedar.t e mb.shtetjes",.. "tray_status_available_text": "N. dispozicion",.. "tray_status_busy_text": "I z.n.",.. "tray_status_donotdisturb_text": "Mos shqet.so",.. "tray_status_away_text": "Larg",.. "tray_status_berightback_text": "Kthehem shpejt",.. "tray_status_appearaway_text": "Nuk jam n. kompjuter",.. "tray_status_resetstatus_text": "Rivendos statusin",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams .sht

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-sr-latn-rs.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27020
                                                                                            Entropy (8bit):4.840690412659313
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:eZEXVsnsu5PWSzrOH8jdmr4bD7CUjm1d9lw6qL4fxl:eZmW5nzrOH8jdmr4bD7CUjm1d9lw6qLc
                                                                                            MD5:EAADF5A1C93DFAD6A2B729D2EAE30AF8
                                                                                            SHA1:64E64C6E803C8523DE8CA98157CC0B429B95B89C
                                                                                            SHA-256:B78A9B2D613064EDA2E2CEE8CAA81E0D25DB26AE1FBC9777357E2DD2D6561D80
                                                                                            SHA-512:B467DFD4F793FFD0C9FE81058E630EB12BC57E7E15519C9597A803637768F920177D4A424F6E4C9770453B04F651EE93B182F3AA6550A21BE5846132E93B4F9B
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "sr-latn-rs",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Automatski pokreni Teams",.. "tray_do_not_auto_start_button_text": "Nemoj automatski da pokre.e. Teams",.. "tray_exit_button_text": "Odustani",.. "tray_exit_multi_account_button_text": "Iza.i sa svih naloga",.. "tray_signout_button_text": "Odjavite se",.. "tray_my_status_text": "Moj status",.. "tray_get_logs_text": "Pribavi evidencije",.. "tray_get_support_files_text": "Prikupi datoteke podr.ke",.. "tray_status_available_text": "Dostupan",.. "tray_status_busy_text": "Zauzet",.. "tray_status_donotdisturb_text": "Ne uznemiravaj",.. "tray_status_away_text": "Nisam tu",.. "tray_status_berightback_text": "Odmah se vra.am",.. "tray_status_appearaway_text": "Prika.i kao da nisam tu",.. "tray_status_resetstatus_text": "Resetuj status",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Usluga

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-sv-se.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):26374
                                                                                            Entropy (8bit):4.8128550341034435
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:JOZZF1PcstR+kyRlXwyUYrDJ9avzcWcNptxfBENVNncBJjG9oFen1u2:wZrB+k4rDJ9avzcWcNptxfBENVNncBJc
                                                                                            MD5:04F15B1B4937FADBE3C27DC795117DB5
                                                                                            SHA1:C2FDD8E927DF0AEBFFB79491CDC18DDF23D77C72
                                                                                            SHA-256:1217AA69A703CEB17408BD5DE366F9DEE8CF98A781E81EF9C760EC02858FA138
                                                                                            SHA-512:F00DB9CB02C2EF4B70E76F852D8CAB9CBB3C7563B70B4611E12B4097B88C28CB44E099228AE414E53A9C15F4220D866A789D56D740A4E1B58AC60D4C2F2C14BE
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "sv-se",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Starta Teams automatiskt",.. "tray_do_not_auto_start_button_text": "Starta inte Teams automatiskt",.. "tray_exit_button_text": "Avsluta",.. "tray_exit_multi_account_button_text": "Avsluta alla konton",.. "tray_signout_button_text": "Logga ut",.. "tray_my_status_text": "Min status",.. "tray_get_logs_text": "H.mta loggar",.. "tray_get_support_files_text": "Samla supportfiler",.. "tray_status_available_text": "Tillg.nglig",.. "tray_status_busy_text": "Upptagen",.. "tray_status_donotdisturb_text": "St.r ej",.. "tray_status_away_text": "Tillf.lligt borta",.. "tray_status_berightback_text": "Strax tillbaka",.. "tray_status_appearaway_text": "Visa som borta",.. "tray_status_resetstatus_text": ".terst.ll status",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams k.rs fortfarande o

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-th-th.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):41657
                                                                                            Entropy (8bit):4.912601302729211
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:baIZFr0NGS6th9i+9TSVzbQHuzAO1sVWHguXIiUKqc11vBA9/2HyNEPuN+e7nxIW:JZvlpvRF5RJ1nS4AkfdO97PTOrT7ufat
                                                                                            MD5:6B9CC351D2E5E44F8ECF02A891F866E2
                                                                                            SHA1:D60F12124D5EDF3CA6BB7F3D42C9E32F0D2FE6EE
                                                                                            SHA-256:5C013A6E332FA94BD60EEECB1CF2498DC587EDCB3239DB1650FF65B6A8E5F16C
                                                                                            SHA-512:FD7194B5470F96BF6AA9DA312011E723CF83C3BB66597DB1BE9CE4FC0172848FDABAFFFC83F089CDB9C7D47EB2B485677BA9C511E222656729A285649A988FB4
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "th-th",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "........ Teams ............",.. "tray_do_not_auto_start_button_text": "............ Teams ............",.. "tray_exit_button_text": "..........",.. "tray_exit_multi_account_button_text": "..................",.. "tray_signout_button_text": ".........",.. "tray_my_status_text": "...........",.. "tray_get_logs_text": "...............",.. "tray_get_support_files_text": "..................",.. "tray_status_available_text": "....",.. "tray_status_busy_text": ".......",.. "tray_status_donotdisturb_text": ".........",.. "tray_status_away_text": ".......",..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-tr-tr.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):27106
                                                                                            Entropy (8bit):4.976782684688227
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:zZLGILwUKHqdQsi8n5IiH2BB1gxpb9nr148birGJmMJVDHl3dof69tSI2JB:zZV5ItBUb9nr148birGJmMJVDHl3doff
                                                                                            MD5:A7AB18FCB9076BA13DE554DB3AC7CE04
                                                                                            SHA1:3D05AE2D5D5F27816B51C03C4EFA56C20D5F3D41
                                                                                            SHA-256:CF60D0E30BA0586B2DB1009E02202EE3C8C1540EA9896040A2B117820E87623C
                                                                                            SHA-512:6C80A95C7142F015697D03BA020C402504233501EA54F26350135A2018E723AD418991E2A6D716055D100DD5A6C3B606CC83AB5C8EEB49A10D5A205D9E4594B3
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "tr-tr",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "Teams'i otomatik olarak ba.lat",.. "tray_do_not_auto_start_button_text": "Teams'i otomatik olarak ba.latma",.. "tray_exit_button_text": "..k",.. "tray_exit_multi_account_button_text": "T.m hesaplardan ..k",.. "tray_signout_button_text": "Oturumu kapat",.. "tray_my_status_text": "Durumum",.. "tray_get_logs_text": "G.nl.kleri al",.. "tray_get_support_files_text": "Destek dosyalar.n. topla",.. "tray_status_available_text": "Uygun",.. "tray_status_busy_text": "Me.gul",.. "tray_status_donotdisturb_text": "Rahats.z etmeyin",.. "tray_status_away_text": "D..ar.da",.. "tray_status_berightback_text": "Hemen d.nece.im",.. "tray_status_appearaway_text": "D..ar.da g.r.n",.. "tray_status_resetstatus_text": "Durumu s.f.rla",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft T

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-uk-ua.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):35050
                                                                                            Entropy (8bit):5.208797404465683
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:jZMzNostnUYvbMi6iwbDEVDqj0RbP3rlnLzKPZRWth:jZMnnZvbMi6iwbDEVDqj0RbP3rlnLzKG
                                                                                            MD5:F337B80C5AFCF9EE09B7AC9D39F3DAA9
                                                                                            SHA1:A67DF5CF7EB8DC3EF1ECE12C89F3024D400B8C9A
                                                                                            SHA-256:2DF35A178871AB195C38FF83D2FDEA9B84E918931DC002C5414C164F4788E73D
                                                                                            SHA-512:FCC2C85151E55199D3F39BA7F80E015A8E191B575A43652F08144F2B7221D74AB9C245D26090CCE27CBB3C116188E89D965B93A0DF0A0EA36CD33881D23F4ABC
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "uk-ua",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "......... .......... Teams",.. "tray_do_not_auto_start_button_text": "........ .......... Teams",.. "tray_exit_button_text": ".......",.. "tray_exit_multi_account_button_text": "..... . .... ......... .......",.. "tray_signout_button_text": ".....",.. "tray_my_status_text": "... ....",.. "tray_get_logs_text": "........ .......",.. "tray_get_support_files_text": "....... ..... .........",.. "tray_status_available_text": ".........",.. "tray_status_busy_text": "........",.. "tray_status_donotdisturb_text": ".. .........",.. "tray_status_away_text": ".. .. .....",.. "tray_status_berightback_text": "..... .........",.. "tray_status_appearaway_text": ".. .. .....",.. "tr

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-vi-vn.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):29889
                                                                                            Entropy (8bit):5.288559683886251
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:i7ZXAqXUJjKl80shirZartV4mQqfQlPF8pOJnxFvVuB99RDD63UYD4jfyIOHbnpX:i7ZXAqXUNE8NirZetV4mQqfQlPmgnxFV
                                                                                            MD5:731AB99C5D3B41E66DB11FC1D3A6301C
                                                                                            SHA1:8D8D445710ACA024805D73AD0802D0CEFA1803E7
                                                                                            SHA-256:B6EEE5052DF0E2473944082C8FE3828F57EBE5A11E6725851E1EE175AC4E5AB9
                                                                                            SHA-512:A554BA994873533AA3FE6E0205A4C2DF1ED60F576CEB2948E1ECCF0BF3B1A35060E6C7D2253285923F60854F8706132A256231E147148CDF0DB1ADDE81B1E6B9
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "vi-vn",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": "T. ..ng kh.i ..ng Teams",.. "tray_do_not_auto_start_button_text": "Kh.ng t. ..ng kh.i ..ng Teams",.. "tray_exit_button_text": "Tho.t",.. "tray_exit_multi_account_button_text": "Tho.t t.t c. c.c t.i kho.n",.. "tray_signout_button_text": "..ng xu.t",.. "tray_my_status_text": "Tra.ng tha.i cu.a t.i",.. "tray_get_logs_text": "T.i nh.t k.",.. "tray_get_support_files_text": "Thu th.p c.c t.p h. tr.",.. "tray_status_available_text": "Tr.c tuy.n",.. "tray_status_busy_text": "B.n",.. "tray_status_donotdisturb_text": "..ng l.m phi.n",.. "tray_status_away_text": "V.ng m.t",.. "tray_status_berightback_text": "Quay l.i ngay",.. "tray_status_appearaway_text": "Hi.n th. l. v.ng m.t",.. "tray_status_resetstatus_text": "...t la.i tra.ng tha.i",.. "tray_notification_titl

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-zh-cn.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):24742
                                                                                            Entropy (8bit):5.813481044505096
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:w86ZWCpWVYQnBseFiGSjOGSl1ZCku+NigjViUJChb0l6F5mBQ6OYKply9o+2DYZ:AZPuDLxCk/NigjViUJCV0l6F5mBQ6OYz
                                                                                            MD5:8D9D81030AD5C8ECCA31EA7BDABA3D0F
                                                                                            SHA1:D1207D638478C808094573AD0C28C85F9E0F1373
                                                                                            SHA-256:52552F40C0E2962C970A126302C4039B59A82C7FFC0EE7B12A0FA1927CAB2286
                                                                                            SHA-512:53D139899E461E01EE364F840D27D65AB5A26C8FC4BD19B2ED1F9E34E0276A260A7254CB7E75B763D240C4057B4C500326A6C513A1CCCC9C0559E5E4B9E67F30
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "zh-cn",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": ".... Teams",.. "tray_do_not_auto_start_button_text": "....... Teams",.. "tray_exit_button_text": "..",.. "tray_exit_multi_account_button_text": ".......",.. "tray_signout_button_text": "..",.. "tray_my_status_text": "....",.. "tray_get_logs_text": "....",.. "tray_get_support_files_text": "......",.. "tray_status_available_text": "..",.. "tray_status_busy_text": "..",.. "tray_status_donotdisturb_text": "....",.. "tray_status_away_text": "..",.. "tray_status_berightback_text": "....",.. "tray_status_appearaway_text": ".....",.. "tray_status_resetstatus_text": "....",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams ..............",..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\locales\locale-zh-tw.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):25136
                                                                                            Entropy (8bit):5.83573922064041
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:esZQAkeQ+EmtFs8ZuQkKX7Fu5QU31QJ42yzsXWqiMKAH0Jtp6dQZsRydvPEGtu9d:VZZkeQ+cQVrMiyzsXWqiMKAH0Jtp6dQi
                                                                                            MD5:BF1FC49818300FF93E2F1D3A7B10C8D0
                                                                                            SHA1:9CAA4D01BFEF61FD840ED907DE46C12C27F276EE
                                                                                            SHA-256:D2A9C62F0E318D1784BA6DB7911883C7E88362F99CA4E1F132613AA4D840490B
                                                                                            SHA-512:AB9C1F9FE7FD6DCC75A7888AF8246740C2DFB5AC8CFEE0E261CF163840DD9BC017C0E94D67A8DCA6B0C43DC6DCEFB1546131EB3EBD19521AF9B620659F76B07A
                                                                                            Malicious:false
                                                                                            Preview:{.. "locale": "zh-tw",.. "strings": {.. "ellipsis_text": "...",.. "tray_auto_start_button_text": ".... Teams",.. "tray_do_not_auto_start_button_text": "...... Teams",.. "tray_exit_button_text": "..",.. "tray_exit_multi_account_button_text": "......",.. "tray_signout_button_text": "..",.. "tray_my_status_text": "....",.. "tray_get_logs_text": ".....",.. "tray_get_support_files_text": "......",.. "tray_status_available_text": "..",.. "tray_status_busy_text": "..",.. "tray_status_donotdisturb_text": "....",.. "tray_status_away_text": "..",.. "tray_status_berightback_text": "....",.. "tray_status_appearaway_text": ".....",.. "tray_status_resetstatus_text": "....",.. "tray_notification_title_text": "Microsoft Teams",.. "tray_notification_content_text": "Microsoft Teams ................",..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\AddinInstaller.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):33864
                                                                                            Entropy (8bit):6.6749170427672215
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:bgYy+J05SY3wauWD5Epw9z9gElzEpw9zT:FMcYgauA5Ep4z9ZzEp4zT
                                                                                            MD5:7F17A972A3F083FC309E93C9ADA8AA10
                                                                                            SHA1:0072330558FB6E91FE6801DE71ACF06A716BBA5C
                                                                                            SHA-256:98B6CD35884C8AE37F33196A132D0029100C0BA8AD2EE0C084A4870CFA832214
                                                                                            SHA-512:D2B924E1BCD5EB260B17CB58E527E87D6FA9E772088F95DF6369599D7C4FFA3866F83D35F6AB333667C129FA8AE9CEE781A46FE8781B37906A60AFC301EC48CA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....q..........." ..0..............L... ...`....... ...............................6....`..................................L..O....`...............6..HN...........K..8............................................ ............... ..H............text....,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................L......H.......\)..."...........................................................0..y........(......(.....(......(....-..(....&.(....(....,C.(....s....o.... .. .j1+.(....r...p(......(....,..(.....(.....(......&..*...........ou........{....*"..}....*....0..D........(.....s.....(.......r...p(....r?..p.(.......o.......,..o ......&..*........'4..........@@.......0..^..........&...%..\.%../.}.....(!....(.....s"...%rC..p.o#...%rI..p.o#...}.....(.......s....}......&..*........E..Z.......0..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Assets\NewMeeting_Large_120.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1016
                                                                                            Entropy (8bit):7.73830447681088
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:+5DjKVMPFXHX5S4wKHWKWZGmy/xRftEircOiO8UN7O3:+5i8HplNRmKtFPPo
                                                                                            MD5:E3B1BA3900BFFAE493B4463F9A6FBC48
                                                                                            SHA1:0BDDCAB7F9537F01900CB7A7AB0FBB1042E460E7
                                                                                            SHA-256:8FDE3D7378D0E9148068C3A9406D5BD754E93C9810FF5D2B8535FC2B65E0830E
                                                                                            SHA-512:8CA0A6304BD871B1F2BECCF6AF9CBB2EC97D05B233B9388CFC760B262509B8BF6F9B50B837D21018FCA6E8627FA11AE67F6AF49440A837701B4C9AE920585246
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...(...(........m....sRGB.........IDATX..W[h.A..w.5..4.-..PA....(*>@k.|..._.OA.k1.X........-..a.(..?.)...........hv.w..fw.... .Xf.>..s...@......z.........*..;%I:.9V.....B.>.;.$.@d.C@.%...W4.K.......).#.....I..u.Fr........8.8....z...UQ......$Y..R.n..#....L.9{.&M.h.6...P"zUQ...a....:.D..Nr.[.u...L.>....K."..'..t/..Yz....--...M.]...e..0.l....!.r./)r.].t..U!.l&...;....i.,I.TD.H......).S...D..P...sV4!.......K.r.|...... ....Q^.5P.VI...`'.........`...S.Z......?............`......9*....g..[.i..Z.\:#.T......2t).b.........Y..<.T...u.`...... \..nL.f.....3A....'7..zD*i-....r].k/Hfk....b:......@.k...,D.k...#.j..Z....@<...}2.a:$...Q.vL..u...o.Z..|I.r?.o.;..".8..{~'.l..fG3...x...W...%V.....h...!.;...gA.$.?F.w..Y...1!..yu.].....fW..>..w..).55b....D7..}.?...._...=.....".+..N.\Z.mup..p..d\y...r+........:..G.Q.S....>..9..[.L.@|.:..qMP8E.B......R7;....Pk..F.......s...N..F@.B.G...0...e.:....T....d_....i:.........5....].sa^.@!..#....'.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Assets\NewMeeting_Large_144.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1237
                                                                                            Entropy (8bit):7.788008184019191
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:GVwVpPtyAjoNiCkbbtwi0G1UA9WdK+oJgsQ6QVdAmwQATjZWwrpFbVD3r:E6FjowPv70tB/oJgl6Q8mXAT1XLr
                                                                                            MD5:6974CFC337BF190D728C6824EF94AFB6
                                                                                            SHA1:741DABA13F01C19518E2E1E72A93DF2C96227934
                                                                                            SHA-256:115340C0940669C7A55670F03737492FB86D5E34E0390E5664EEA3F9B4147B0C
                                                                                            SHA-512:679AFA5D417748680624314A6E5FF63CBF37D11BF5E95FD2D2114076F1DCD75196849EB39B1D456A8A5DB0019EF2C4C2FD61EA70651DAF158B87A69D8B017FAF
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...0...0.....W.......sRGB.........IDATh..YOlTE..f.n....Hl].' ..(.1.......$...&....4.&..=.@..A{C...`0.....$.@cz......m....7~....7......%....}...o...H.$.Ow..r..9'.CS...G.{.j...@F..3_.Bx\vc.`xx....g0..&'...m...\...(F...$/2...+.[..%y.(.A......sZ..Z...._.2..V......."[...SB.Y}....%eUV..@...V......G...8.Q....3..}...+.Rq...`]...\.U..yL.V.<.Z.{.1..5P/".&H...5.....D..x.:..m.b.....l..Gl..S.y....."...k.....cX{i.p..pFHtV.8..)....Y...,;U....O,XQ.*.....,.Z.Eq.V7....B.0..b.......Bs.....Z.........}..wp....E......U.......F..........av.#.!.../.......b..rG....E...ZV..W..]w...\..~.q.f.#...K(.2..bU/.L/.b..7?.....6Cg.y.{.R.......9.O..n..H....tYb....ZR.<.t)-c..t..... ..x../....;..D..k..D.....`.J3.d...m..d.LYi&..@3.-l......z.pE.T..Z.u..R..."P.(T......7.%.... ...9.%.....O..p..5..bQ.F..o.u.o.2.B.....l/...1.8-..e....B......|P.E....vZZ;.Pj...b)..z..r3..s~../B..k6}Z+.."V..[.......T.D.jA*U.n1.%f3:.Y..s.{..*..`I.$.....w..T.H...?..:X..OQ...b.N...

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Assets\NewMeeting_Large_192.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1555
                                                                                            Entropy (8bit):7.805621612269991
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:xyPSt6BuLqrVii+xXSCLqmgDvjUEAkgoX1Amyz/zaY6pGtqPgmeAkG0ZZz:cPSt6G2iimqm+6kgDl/t6iEfGz
                                                                                            MD5:177094A528723CEF49FA2FFDFAB57CF5
                                                                                            SHA1:CBAE150EDCD83F2E9BB87A0BB86CF076EEBC41C2
                                                                                            SHA-256:66CD5E3CFC69AF5087D33C570CFE424B50935B01C27E618CA11822AC7AE6D1E6
                                                                                            SHA-512:AD9394116D2E132EB2BFF48F1AE4AB7AEC5B372FFD2B7B41E29CD8BF26C87725BB48D0C3AD85F7C3C94B4556872A06876D1E95F4AD8A0CF63DD949DBE350D8E8
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...@...@......iq.....sRGB.........IDATx..Z]L.U.>..,.. .[)6<..b41.`..4M.>h..........&.H.l.Y_L..6..&ZiS./.'1....X...F)....dw.z.....30..:7......9.g..@.........n_..V.........]...9F9.?..2C6...u*.h.#.....?..19...U&....P.@_.R.#FY..&....P2~.....~..J..(../...I .y..Q.R3....Q.y....a...8)cwv^.-...?..6s....|....'Z.e:.4_..w....).Uz./\..........pG......N<...1.;..X.XO...a.../.OS.._.).... ..e...dz...*.....\././...u^..-Q.'..R..D.l...._1.5..G. ...t=,a..Bbz.+$J.BNB...V.&7.3....&,..Y..u..0w....}.......v?wv....TF-vN..&&f,..\.#5.....6=..p....y{3...m1....X.(.-VjqO..S..u.x...e..,......3p..."..`..@..0U.d.Le.,......|.....A.d.f>.......m.....{..T L......kD>.....K.....4Qv....J=...o;[...4d. .....O.S_...I.y..*...Q.\..><.....8......r.T.?3.eK.......b..~.@9.....ll......Pkyh...n,m..o.\..&.ai)YJ>E.......I......rWG.tu..ftl.^..R...O.Euu%.....&&K.......Hp.Lx.......*K....cE.,a..`.1....i.h*.5..*!.......7......u.OP.n.[o.A...;.6....".&..o..v.4(34tj......U...C...u...S.N....H.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Assets\NewMeeting_Large_96.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):821
                                                                                            Entropy (8bit):7.630755600269692
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:L9IW0j2BjoUb25MCbt+OzOGKynRHS/0psG7:LaW0l2Ut+ONRy8+G7
                                                                                            MD5:FAFBA571265B20E0EC4423FEAD972E1B
                                                                                            SHA1:B686D74FF48E3B990F0E312BB0F3AF4E8F53069A
                                                                                            SHA-256:1FB3B4832E92B1E2F998CD2FF4A872000822CBB897D869194195E5C4F8D43CD0
                                                                                            SHA-512:D0523CCC27436A80C5A14094AD244349EFE68FB5A813F97539C3025FCC1F05D6CEC9B8FFD04883E35BCD787A36901246687162B4B86717E81E747B2CF035DD2D
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB.........IDATX..VMh.A....i..$-j...C..M...`.T..A..,6.VYj.T..(....=.^...E.....b...4i$.I.....n....<5......y.fv....ZM.z7..Z..QB...t.V..cj"...gK...e........YI.>?$.V.^......ZF...av..cn....Vi.]P.(..).v..Y.P..s....D./n&YpJ..iG....8.Z:..._.......................~3.......Y\.T...H.J......n....c.p...x.n:....i>....i......i.GvLd....SRx5?.....3G...3...i....th.5...._..CGy.....R..q.I.>....\.e>x...#......v...L6OV....uR&.....o.#...y6...c...r,..#...B(..e:.K.6..:.r....+./....g..@..!....N.....=.H....#.....j.K..F.&6Zk..."......d....].Vl...IG.......:...]w$p.+...4.......k.j...$.ja}..x...(%.x.9|..a.d._0sy..>oL.....%<.0.C.....;..(.!tpb"...N.R.Nj..?.."...RH.......8.Gb.P.i..y.L..OMv.Q.o;....[.sQ$A.8}3..cn.!wn.N}..m..#x.'......jV...T.G.?[..3.)......X........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Assets\NewMeeting_Small_120.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):574
                                                                                            Entropy (8bit):7.347738166641519
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7iHKcqzpeXnDvyEqCcmpZndaYcfyYCta8eq0NRFWBOfmcN274Gl2E7:6cqFeXDvyEqEpZdaYcStx0LFgOfzkUD+
                                                                                            MD5:503E86E4628933D17B5B41B4918D6C9F
                                                                                            SHA1:F884F45CF4EF5B435E554EA30F654F076E50BDF5
                                                                                            SHA-256:1C80CC98643E1D060B9443C98E9AFE663125398F7BB99E5BAB2C0EB952C9C111
                                                                                            SHA-512:22D115A09597F7A8CB0C5BCD0E0BBA55798D3A431B28EC27E9DDAA356BF0AF674BDB78E6D9A3911E2750354D42A8AD628EBD0A7716410360F6D1160258E12C98
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.....................sRGB.........IDAT8.c`.....:.....o........'XX...*.....K.&.2.....`>........}....Y ...Li...n.......K....103.1pq..u.].. ...g........`..C.^.*......w...~20...k..4.....d>....0.Bv...~.....>P...A.dddx.. 6L-8R......lY.....>!{..k]8.._@.V.W..@1.&.2.f.L...S..f..L.`...'...Oa.@....f../#.....d........G...F!..c.U..-%..q!#.5d].V.G.2.........$....k....Y.....=V.8......8S....#J....e I.YOQ..)0.(.L`..`db.q............4|.(.s.H...,....Y+a&..r...D:aecm...&..q....Q{..[#.+.a.a4..]b.B.`|d.g...c..j-..L..@|../@'...........".D36.@J.........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Assets\NewMeeting_Small_144.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):627
                                                                                            Entropy (8bit):7.55832772949955
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/76fR8ZKPil+HE3xZKPwUonTJibKpwwCzc8oRNn/Dna+z:7R/PUsE3xZ/zsbKpcI3Dna+z
                                                                                            MD5:75713D844925AC3404D59C5D56DD996A
                                                                                            SHA1:88F0F5B5450772A85FD61FB5FD54C3A6F7E48585
                                                                                            SHA-256:D4746496079E9C334715958852FA8FB59E54DBDEAD19D83001FA15C1793D27B2
                                                                                            SHA-512:B60E132BD5251084B2C7A22591D72DFDFEBB7A24987ADB8E78CA345694F6043C1F3C7A9205B6052CF3846FCF33179506BFF88C1D1BC8093A7563CF150EC5D30A
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR..............w=.....sRGB........-IDATH..TAKTQ.>.7.o&.Y.e...ZhJ..\..-.6AK.@...b.+.h+.. .].m.pg.m.. "....7.x...;...6E.....|.|........&.@..../.....A.[..}...p.Y..Y....j(i_c<)...X \.nq)......OO#.........I,......-.....].4..d.!.....,..Q...vu.-PP.........|.Q^t..@.^..dQe....^/y..'....mA....o.h.....t...x.........A..?q...>....<..#g...S .\..kko.\....l.).L.L.7.l..!KwbP.?" ...?,.w.q-....y.".|.O....Y.4..^J....sC..Z.;~..R....8)H..p.....L!.......[^k.+.u..w.4(.1.Z..q..G.AM..{.gj..L.b.\...\.m~..N.<.f..........Y...K0J..E..^.....D)?..c,.../].p2..1.2.D_u.s.x}...?TL.?~..;P..(.......IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Assets\NewMeeting_Small_192.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):875
                                                                                            Entropy (8bit):7.664401472706693
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:MnF5WncYHQTt0feBgmzpRjRqgnoEmDDxM4xr8LTdIDg5X:MFAncIQhee+mdlRlTmW9uDg5X
                                                                                            MD5:F323D73771349B6374462B8A4B708D83
                                                                                            SHA1:39F8860AEC7AC9FF8DF80C770A23F3AC8C3BE4A1
                                                                                            SHA-256:EA0327CD2D987CF069747F70A317E552C0304170177101AA578F04D2EBE9FFB6
                                                                                            SHA-512:5377FD3886FCDEF87B61F1CC825655E6B977E370563B2C2F7B3BB675B8ADCCE621A47F056945A9C0A41F9C10BF4DF6694167E62A310B146587F898D39E753EB2
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB........%IDATX..VKh.A..I6O.H..$....../Q."....z..*.x. ..."X..`OR,.C..Y.h=."^....Q.U...ib.;..ufg..d7.P.......?.L...p....Lt...-.P/...^I..X4.X..........A./&..'%'.k.....,..\......l.j'Y1f...L.....~p.?n^..N+6xF..^}...3...`..(MN..Q.H.0*^`XCG.^[z......X..0r..\E.n(..@..b..#....._....\..=.,...#.7.....t.x......I.$..-..W1F..o..Q....x...P)......S!......v...zd......+...#...O.....Q.........!..2...$....p.X....g.5....e.o"..V..yQ..I.a<9?..|.t...Z..O..Bv............Z.........r...W#...-.`.(.0.Alkp...7a-..../....Mt`.g.......4.].5.z.X.Z...gz....R.S......-.1.w`a.......<........"..E.4|.X..T...no.M0./..F..k.P.uW.].f$9.pY&......Un..N.3|.......`.....2..e....C......r...g.Oj...t..`..s...PE.].v.,..S.J...P@u..q........[G..0..0...9..Z2].u...|......Ru.......}...6...W&z.4.S..0\..K....n.@a.Z....(..9.........3._.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Assets\NewMeeting_Small_96.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):483
                                                                                            Entropy (8bit):7.310129121242215
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/78zmIphkxF+oabzkBMDRbuyP+3uvNg9e8lJD+SF330YN:46m0hRl+3q+nD+SiK
                                                                                            MD5:A2761DE768472D09D1E02C92EBD144B5
                                                                                            SHA1:60BA18F0FF47B9E9C3E23B5AE9E95E3D319B5C5D
                                                                                            SHA-256:AC7FE3232888BF96C520D586C723149CD3127E1CE7CC65BC35BA1984CC27BBCA
                                                                                            SHA-512:F330DB55B79E561D2DAC1CD051421F91D6981A489A004EB0EAE3AE090B1386DDF46EFB675A9B6F75A0BB83F741B5DA12E4DFB872EE41782773BFAEC9014CA667
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR................a....sRGB.........IDAT8.c`..0..?i.......e....?#.Nq>..<...Y..`.W...00.......?..........;.jX.=6,4....N.|~....._...K1.....A...l....>.{..m....2........;?...<.......\a./.tA.H.?... .l..f.......s....p...V.KB.x.D.)2D.)....l.}........`.....u.!...7,7....H.O.^.B....?..`.D..2...C..e$..:...7...B.`d`..R..D`0?.....~G1.?....KFF...L.. I.(.+6..z...).....d......5.h..q.+.2..,( ,W%-c.....Y\R."........Y..... ...7.@..?..-....JkZj.w.....e.........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Applications.Telemetry.Windows.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):3097696
                                                                                            Entropy (8bit):6.376562383850651
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:RSYwMLWjLsGKN44mG3uTMnnl5S6niJO+L2U1W1N1TfEoqeoR:QwxNN45G+TMnlXNq/
                                                                                            MD5:65EE46B3B363F0673FD6381DE42E69D8
                                                                                            SHA1:515FC59976C50C95E99ACB0C046BDA605BE4C130
                                                                                            SHA-256:049A56425A4685160A94DE4560AA514F3F575D62D99CB0B10BE2C23F10E9D377
                                                                                            SHA-512:C7A115E277C9823E64F665FD255C7257B387AD29A51D51A3BD75F76D77DE32230928A157A5FBA211B0D8ECF8F66E317FD5F84FC18F43C6116CC5925366B6F539
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$.|.E./.E./.E./..I/.E./.-...E./.-...E./.-...E./.-...E./.=Y/.E./.=I/.E./.E./4D./8,...E./8,...E./8,...E./8,%/.E./.EM/.E./8,...E./Rich.E./................PE..d....6=\.........." .....L..................................................../......./...`.........................................`I,..P....,......P/.......-.h.......`N...`/.p.....$.8....................!).(...`.$..............p.......G,.`.....$.H............text....H.......J.................. ..`.nep.........`.......N.............. ..`.rdata..8m...p...n...P..............@..@.data.........,..\....,.............@....pdata..h.....-.......-.............@..@.rsrc........P/.....................@..@.reloc..p....`/.. ..................@..B................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.IdentityModel.JsonWebTokens.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):78408
                                                                                            Entropy (8bit):6.129481246167649
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:nm6516C0z6v8JyJNPk2DuttJ6gDEkeLGzewZGLzw00f:nmqEC0zhyJNPktDXiGyRv0f
                                                                                            MD5:EEA13258A8B7DE541A74D2912769F2A7
                                                                                            SHA1:542082376A88F30ACAE47D71737A043A05334B1A
                                                                                            SHA-256:E4FA6AC046B919137158954B182A647129990B70399C9894CE6918F0FA893262
                                                                                            SHA-512:A8E7A6F7476867199D2E499ED09F11742593B398FAC4B4F3CA9C2D3496AB2A1B80A5E439F4444342D0A30BB3C74FB1A616E508DD05BBAAF6E54681F5F56BF8A9
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{............" ..0.................. ........... .......................@......D.....`.................................Q...O.......................HN... ......T...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........[...............................................................0..v........s....}.....s....}.....(.....(....,.r...ps....z...@...%.....o.......i.....i.3....(,...*r#..p......%...(....s....(....z...0...........s....}.....s....}.....(.....(....,.rd..p(....z.(....,.rr..p(....z...(....(.....!.r...p......%...(.....s....(....z...(....(.....!.r...p......%...(.....s....(....z*.......C..Q.!......s....!....j.(....r...po...+%-.&~....*j.(....r...po...+%-.&~....*...0..F........(..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.IdentityModel.Logging.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):41032
                                                                                            Entropy (8bit):6.710594759580758
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:vS0Nb06pBrs9OoJu8Gw1OQaXV9zPgEllVXC4dC9zVj6N:vnb0NO217GnzPZ/C4dezF6N
                                                                                            MD5:E6F3F341BAEB31F4196C3085FB34F767
                                                                                            SHA1:D78EBC71D36B06E0DA7FA41E6D7888FCC71042B6
                                                                                            SHA-256:4BE875B73CD50A95A1480FD3330222C278903DCFA9EE73263198D860827EA9AF
                                                                                            SHA-512:A38A81B096D215E04947BDD2E7D1532E676C8E84DD9CD598D98EE5EBF5C1197CF1AC690F28DA0EAB3DC1CA42CE0CD9F1EAA0901E7CD55C1ECA927D86E880C365
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[c............" ..0..H...........g... ........... ....................................`..................................g..O....... ............R..HN...........f..T............................................ ............... ..H............text....G... ...H.................. ..`.rsrc... ............J..............@..@.reloc...............P..............@..B.................g......H........,..x9...................f.......................................0..I.............r...p...........r...p.....r...p.....r...p.....r7..p.....s.........*:.(......(....*.~....*.~....*.......*.~....*.~....*.......*~.(....,...(...+(.........(....*..(....,..,....(8...(....*..(....*..(....,..(.....2...(...+(.........(....*..(....,!.(.....2..,....(8...(....*..(....*..(....,..(.....2...(...+(.........(....*..(....,!.(.....2..,....(8...(....*..(....*..(....,..(.....2...(...+(....

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.IdentityModel.Tokens.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):937544
                                                                                            Entropy (8bit):5.838809981110096
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:uMt+vIZDreuKQvgXyexT4Yn2sxGwmBgjoIb:jVbgXyeV46xGjBgj1
                                                                                            MD5:528D783F83C540EFC5F138D21E8C1696
                                                                                            SHA1:64F87F45719CA06143AA6328A52E6A96285DA63A
                                                                                            SHA-256:CE06CDE2B771E6E215CA9A10F8739A23AB2990A53C32301E42838D40E8E355F3
                                                                                            SHA-512:ED2562BE767103C2FD7179B0F632A2250F8EF97950341C6D0FE6AC8BA347499682CF7201289169855F313D47833F863FCC110B54864A8BBABF046FFD8B5902CF
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........." ..0.................. ... ....... .......................`............`.....................................O.... ..................HN...@..........T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........0..X...................T........................................(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{.....3...{.......(....,...{....*..{........-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+%.{.....3..{.....o....,..{....*.{......-....(....*.0..H.........{...._....{......s

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):248904
                                                                                            Entropy (8bit):6.150746670116204
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:Le3vee9g5nwddPS764sTCYfMLG/Hb25jiV9MPsJvgk+TB:E9GGd676469Ma/RVKPsJYkA
                                                                                            MD5:96E9C38D030B3ECB4E674227F2214272
                                                                                            SHA1:8D6BFF68B89630C7DBCE8A5120110816BCD2B881
                                                                                            SHA-256:170B6F45031B97C665AAF19B4A85E1DCE035243A0972CADFFD855B11E15C9F2F
                                                                                            SHA-512:773C8E286ECC0AC57F14C6F46FB58327DE21F04FBC7B3977270D0A7770E0CEB9E0D4B60A79D1DA82E7D1F4FDD40AF9281CFBE78B27C180BD7B57C2F29E99B7C0
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........S.^.=.^.=.^.=.W...V.=...9.Y.=...<.X.=...8.}.=...>.Z.=...>.\.=...9.[.=...<.P.=.@...].=.^.<...=...9._.=...8.V.=...=._.=...._.=.^._.=...?._.=.Rich^.=.........PE..d.....Xf.........." ................P...............................................>n....`A....................................................@....@..pj... .......~..HN..............T.......................(...p...8............................................text............................... ..`.rdata..b...........................@..@.data...............................@....pdata....... ......................@..@.rsrc...pj...@...l..................@..@.reloc...............r..............@..B................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Teams.AuthLib.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):40008
                                                                                            Entropy (8bit):6.683761370543717
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:3nom7dmnAf1LHF51ap+v/7pK+4nCLEpw9zUzgEl3H7Re9zno:39Rhaps7pnq2Ep4zAZXFazno
                                                                                            MD5:8B49A5EDDC4FD8D66224C96F90637305
                                                                                            SHA1:683B198B685AF5329EC6EC1171266AC84D3B7ABB
                                                                                            SHA-256:04C9F32B9FAD48DF69E9675B30554712AC87659ED9B4AE29FC04007DFFF0092E
                                                                                            SHA-512:C55A44341A8B748C5F7092C397D494B2A98922AB2C2B7CBC994640F6663647640FBA4E7BF33C5B4E01F4951BAC9BE68A764309D3C83BF49F247AB563A59776AB
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...f.Xf.........." ..0..H............... ........... ....................................`...@......@............... ...............................................N..HN...........e............................................................... ..H............text...<F... ...H.................. ..`.rsrc................J..............@..@........................................H........-..t7............................................................{....*"..}....*..{....*"..}....*V.(......(......(....*~.(.....s....}.....~......}....*.0..+..........{....~....(....,....{....(.......(.....*.........##.......~....*..0..........~.....r...po....~......!...%.r...p.%...%.r-..p.%...%.rE..p.%...(....r...po.......{....~....(....9.....{..........(.......{....~....(....,r(....o....(....rc..p(....(....&.....(......~....(....,+....}.......(....&..@.(....&. .....(....&..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Teams.Diagnostics.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):32840
                                                                                            Entropy (8bit):6.85712169528054
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:z5BNiiCAlw5LfyacHbZTowwWYsQWSW/7R9zkV+Hh5yEFHRN7GNQSR9z+zCu:zrFo5xwlvfF9z6EhgElG6e9z0Cu
                                                                                            MD5:D24A006BCE2DB1A2F0463714BDA1758F
                                                                                            SHA1:1DBDAF547C164430F8A1E59F4DF6D95E7A31F001
                                                                                            SHA-256:5A2FE2BC4E619066404BAE87FD7D9A449054977D64F7D3825A8A63254070A07D
                                                                                            SHA-512:9AFCA008708C0E389DD7443C8A10F651D1216D4B7134122B96645F73645CD7317C6266B7D30F586C253D87083973AFB006C0418A981FE7478A2ADB0CE373C3F2
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...e.Xf.........." ..0..*............... ........... ..............................j.....`...@......@............... ...............................`...............2..HN...........H............................................................... ..H............text...H)... ...*.................. ..`.rsrc........`.......,..............@..@........................................H........(..P............................................................*..-.~......*..-.~......*...0...........-.r...ps....zr...p......%..o0......r=..p(.....%..o1....$....%..o..........%..o2....%..o4....%..o6....(......o8...,..(.....o8...o....(......*..(....*..(....../.rs..ps....z.(....,.ry..ps....z..}......}....*....0..Y........{....-7.{.....r...p.{.....$...(....s.......%.o......s ...}.......{....o!.....,..s......*F.{....%-.&*("...*r.(.....-.r...ps....z..}....*.0..0.......~......{

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Teams.MeetingAddin.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1096776
                                                                                            Entropy (8bit):5.795453024854296
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:nH7Ek5BVh5Bsu0G179oVVmfLEq2aw+QUZT:H7Eds79oVVmfLEqNw+1F
                                                                                            MD5:AD514AF0C57668FCEE3C7AAD08B398E8
                                                                                            SHA1:8A1E7B31BF4C7784CDAF8497A73CEB5210A8FEF1
                                                                                            SHA-256:37879DF89E78E89ADB33918C3CA4D0DF623CEB059057FA6A7FA828100D98F19F
                                                                                            SHA-512:CC1905C4F7F48B727DA8FC240F641EB881D5C328496EB9ADA257EB09424FB761354C32F08760C60AB192F43575A28917B2C1262AC7E716C2B1A1A13E97297F22
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..0..f............... ........... ...............................T....`...@......@............... ...............................................n..HN........................................................................... ..H............text....e... ...f.................. ..`.rsrc................h..............@..@........................................H...........H............................................................0..%.......~.....r...po2...~3....~3....~3.....sM...}.....{....9.....{....oZ...,.~....r3..pr...po4.....}....+h..{....sd...}....~....r...pr...po4....(5......{....(...+...{....(...+.~....r...pr...po4.....o......o.....X.~......r...po7....D.~3...(8...,..(9...&.~3...(8...,..(9...&.~3...(8...,..(9...&.(:...&.*........."..........."....D......(;...*.(...+.....*.0..C........o......o......,..oa...(=...,....o....+......o..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Teams.MeetingAddin.dll.config

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):515
                                                                                            Entropy (8bit):5.076136391837345
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:TMHdGzNFF7ap+5v5OXrL/2/tFicYoKV7VirkTyxm:2duPF7NhOXrT2/H9kirkV
                                                                                            MD5:ED080ED5825CF4893CA4F7D1395B9957
                                                                                            SHA1:3905E190109E5DF90676F4716A69C815A6E52B44
                                                                                            SHA-256:29F368DEF465F1AE30DF31EBCA4A976F180DBCF3718605B4ACB0D6DA95A30855
                                                                                            SHA-512:73041863B7916B21A56D5C61933D9922D24B15548D7356DFEE42C3AB617F72A04AA8080F3C5EB3F21D968FFB38C7244D4484E78540BF6BB8FC93600A017E43D0
                                                                                            Malicious:false
                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0"/>.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8"/></startup></configuration>..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Web.WebView2.Core.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):295008
                                                                                            Entropy (8bit):5.771512173166689
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:6ylhq4ugopeh5eBeGNx8cNe+zcee9eoedTeeIzeqRK0e6eR9pRFIEIEEICepM1Sj:2P4eR9pRFIEIEEICepM1S2LQQs1hP19x
                                                                                            MD5:D3A3E82247F81342E217C92B9C89BC86
                                                                                            SHA1:CBD914785348331AE68528ED71E317ECADDC10DE
                                                                                            SHA-256:B39CA19017B8B99385A588433B4AA1CC87DDE272DA14771A9750F00605D31091
                                                                                            SHA-512:EE5968A216BD402632A0CA1073B8C4CA5303CF28F30002AAAF2E7590B565FA3BF951E7B62320E4E3592DE50B9F56F08ECADCF67B50659DF056BB5812388A962D
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].a.........." ..0..*...........H... ...`....... ...............................b....@..................................G..O....`...............2..`N...........F............................................... ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................G......H.......L9.......................F.......................................0..G.........((...}.......}.......}.......}.......}......|......(...+..|....(*...*..0../........{....- ..{....t....}.......r...p.s+...z.{....*................."..}....*....0../........{....- ..{....t....}.......rZ..p.s+...z.{....*................."..}....*....0../........{....- ..{....t....}.......r...p.s+...z.{....*................."..}....*....0../........{....- ..{....t....}.......r...p.s+...z.{....*.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Web.WebView2.WinForms.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):45152
                                                                                            Entropy (8bit):6.663371468091526
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:iTFfTl1XWYTACPHZDgcE05P4Jjrnh2jwSosuTv1JKa5/Zi/6LsubsOzMnXbD9zMz:iTFbHXLPHZDgcE05P4JjrnawSosu71Jh
                                                                                            MD5:F86AFF1B72BF70884B4BE0CA38919369
                                                                                            SHA1:8D3DDF77DE94F5EAE244AD09F9D2ADDCC2DEF709
                                                                                            SHA-256:69B2BBF16659F98D589942A1A3F344550DD1E03446DF4F81DC4668F1D51CFEC0
                                                                                            SHA-512:718F629F907EDFADFFCBCA135DB6153B2BE001E450940722B43C16279CF9ED0A6384D1205D3287F397B2E8FCD9A5615BB2497E8717B6CF6391EFADF1BB122480
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...03............" ..0..X...........v... ........... ...............................B....`..................................u..O....................b..`N...........t..8............................................ ............... ..H............text...$V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B.................v......H........3..T=..........(q..@...ht........................................(....*..{....*>..}......}....*..{....*>..}......}....*..{....*>..}......}....*..{....-%..(.....(......(......s....(....}.....{....*..#.......?}.....(....}.....(.....(S......(..... . ...(....*..,..(....,.*.(....,...(.....{....,..{....o......( ...*.0..>.........( .....}............s!...("...........s!...(#....{....,..{...........s!...o$....{....:.....(#......H...s%...o&....(#......G...s'...o(....(#......J

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Microsoft.Web.WebView2.Wpf.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):50760
                                                                                            Entropy (8bit):6.631383698123452
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:0X0t7C3ZK8wDP/ryEH0mBO4JjrDXaUfUPLkIFKKa5/Bi/hGvoAwWKSVdxxzXZVP/:0X0t23ZK8wDP/b0mBO4JjrDXaUfUPLkR
                                                                                            MD5:04B900A20C71F7A23BEBA77F88B86308
                                                                                            SHA1:C5BCD7AE974EBF89F6D12F26DBAA9B4FD4CF2A53
                                                                                            SHA-256:BBA041B5BE0946EAEDE57AE31361844CA781C9FAE80607980465C7F2422F83BD
                                                                                            SHA-512:F40B2ABAD653F4433D8B7C665D37000780D7A1289F4B187F8B51CA7C8D577C7D7449A5E12C0DCB1FBBFC45403437D6F9F4AD09CA326239C4D1823908063CE19F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8............" ..0..p............... ........... ..............................8.....`.................................9...O....................x..HN..........d...8............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................m.......H........;...M..............@............................................(....*F.~....(....tP...*6.~.....(....*F.~....(....tP...*6.~.....(....*F.~....(....tP...*6.~.....(....*6.t.....}....*..{....-%..(.....(......(......s....(....}.....{....*..0..........r...p.P...(.........(............s....s....(.........r1..p.P...(.........(............s....s....(.........rO..p.P...(.........(............s....s....(.........**.(.......*..{....*"..}....*&(.......*..{....*"..}....*..0......

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\Newtonsoft.Json.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):714312
                                                                                            Entropy (8bit):5.981067761075983
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:H9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc30:H8m657w6ZBLmkitKqBCjC0PDgM5
                                                                                            MD5:D473F50D1D29B975DA5B6EE0BE8DAA16
                                                                                            SHA1:AAFC94D3C26041CCA3737FDF6240290DBAC1388C
                                                                                            SHA-256:E57E1BD98CF3EB35B61BC5603DA893DD8018BE8CD6CC582D263CD964CE1E47DD
                                                                                            SHA-512:1BB89EBE3EE9D61ECD194ED008C25733C5888FDBDE41A3D248161EE4A708526489A2F79D23EEE97CCAB0D58622ADDE158E07225B8A64AD1F6593CF848206FACC
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................Q....`.....................................O.......................HN.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\OneAuth.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):4255816
                                                                                            Entropy (8bit):6.621144248265792
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:6vVaimCiynv9z1Rgzg5mHIZcAf8liK4B7sCIIcxiVztD4Up1ljWp3HGmhMhS+/Nt:64uz3gcmpXGmiMDTw5
                                                                                            MD5:8E3C04EB2236C4CB93A631AEDC3EA9C8
                                                                                            SHA1:B4E83AEDC2ED818705A0F2EA1C544943D0D830A5
                                                                                            SHA-256:E9E25A64D404F38BF8DC6CFA94A80B7CC8C758A5E32CD671C57BA6F32D05BF63
                                                                                            SHA-512:35F264538670B290DB473CA32E6400FCB3A3D4053180E61F4D49B8CE2D66C8C3C9AD30A60EFCB8D3A2CF1B6B7F75C34B648A52CD85B837E8F954A444543682E5
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........O..................R...................<..........................................................P......8...........Rich...................PE..d...y.Xf.........." .....z*..H......0.&.......................................A......*A...`A..........................................;.$.....;.......@.......=..r....@.HN....@.Pj....6.p.....................6.(.....6.8.............*.....`.;......................text...\y*......z*................. ..`.rdata........*......~*.............@..@.data........0<..`....<.............@....pdata...r....=..t...x=.............@..@.didat.......@@.......?.............@....msvcjmc!>...P@..@....?.............@....rsrc.........@......0@.............@..@.reloc..Pj....@..l...6@.............@..B........................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\System.IdentityModel.Tokens.Jwt.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):94312
                                                                                            Entropy (8bit):5.905204811037498
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:erLOBZPOcQY5bOfk4GftC07uktN9XNEgfpXaXr0iMJgBGILkDzVZl0+88niFF2Gj:eeBZPOcQY5bOM4IuktN9XNEgfpXaXr0s
                                                                                            MD5:A70D021C422B844D5B3708A619466057
                                                                                            SHA1:5F63C78F20FA7E7ACA36C91F209D4215C854C90A
                                                                                            SHA-256:5692B8A4E74EC8484A87D68379FC69FC119E980F79D2765F7FCA5BF5FA302024
                                                                                            SHA-512:A8CDCC3043376A1D25B318739DB7545CCB0ED77C1E134CC03B5A009A655EA6861EE3E7246EBDFFA6D53B6BE31EBFFF93B34322488C1067712F0A280ED2B8ECB3
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g............" ..0.............*7... ...@....... ...............................-....`..................................6..O....@..............."..hN...`.......5..T............................................ ............... ..H............text...0.... ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H.......4_..0...................d5.......................................0..........s....%r...pr...po....%r...pr...po....%r ..pr,..po....%r...pr...po....%rG..prU..po....%r...pr...po....%re..prs..po....%r...prs..po....%r...pr...po....%r...pr...po....%r ..pr(..po....%r...pr...po....%r...pr...po....%r...pr...po....%r...pr...po....%rr..pr...po....%r...pr...po....%rN..prd..po....%r...pr...po....%r...pr...po....%r...pr...po....%r~..pr...po....%r...pr1..po....%r...pr...po....%rm..pr

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\System.Net.Http.Formatting.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):189544
                                                                                            Entropy (8bit):6.2575053993527705
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:MXWun8Jw8fCk/Dvf5eso7DpGbG8pwp2xuRLYs8jn4xo:MXWu8Jw4L/D3UVVGbGbd2
                                                                                            MD5:8FBA542C86765B116FD3B6A397196984
                                                                                            SHA1:47D65C9D0C0D07C4E76F3516C90E7FD1CEAC1B0B
                                                                                            SHA-256:7E0C5104F49C2B79E0261BAB191CF7ED25BBE9C01BCB7DCEDAE5C6AA1F8BA94B
                                                                                            SHA-512:89C05EFE882C226EB55A0D234BE49E2D4D639DB08FB0BF85129E672CE3773EFFA82E7F95EDB1F7DE1F3B8B57B38203AA69E8B84CB51885A9CE9918332DC06D22
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..[.........." ..0.................. ........... ...............................L....`.................................D...O.......................hN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................x.......H.......D...@............v...3..........................................R....s*... ....(....*F....s*.....(....*>.... ....(....*..0..d........(+....-.r...p(c...z.o,...-(r...p(...... ...%......(-...o.....(^...z.-.r...p(c...z.-.r...p(c...z.../.r1..p.............(g...z.o/...rG..p.o0...-'r...p(...... ...%..o/....%.rG..p.(^...z..o1...o2....>....rS..ps3......}.....o1...o4....+E.o5......s........s6.......o7....o8.....o7....o....o9......o:.....&...o$...-....,..o#.....(...+:.....o<...s

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\adal2-meetingaddin.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1769056
                                                                                            Entropy (8bit):6.166747246802417
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:s5EOB1S6bxNZHY6vApo47bw0puGr7WH3TvKsUfWdZAujbC/:s5Ei1S6bvZYn20uGr7UTtdQ
                                                                                            MD5:68489533091EA68287F7F777301585B3
                                                                                            SHA1:4DF72C6058EAEC0595B3737703F75E452EB49704
                                                                                            SHA-256:61B5650FAA6325CD16E3A65739017421043D618B122780C5905AA24A10122ACE
                                                                                            SHA-512:D2297C8A14C44CFCD1E7F06C52E111A25DDAE050A76E72E14F6ED0FBB15D35DEB0ED4AC134D342FE9FA49CF4717177C1763BEE82A1FFA3AF3B7B06C62A4B3624
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......`..$...$...$...K../...K.....v......v......v.....K..3...K..%...K..9...$...H...M......M.....M..%...M.}.%...$...&...M..%...Rich$...........................PE..d....l.[.........." .................]..............................................i.....`A.........................................-..T...47..,.......8...............`N......0%..`...T.......................(....V............... ..x....,..`....................text............................... ..`.rdata..L:... ...<..................@..@.data........`.......P..............@....pdata..............................@..@.didat..0...........................@....rsrc...8...........................@..@.reloc..0%.......&..................@..B................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ar-SA\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62536
                                                                                            Entropy (8bit):6.619052550214228
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:KO9gSK8rih93rkkMy6HMyFPcIk9WvLdQWuB5X2PHJMK1SNahIg8DTuf3T11EikM/:T9gSK8rih93rkkMy6HMyFPcIk9WvLdQM
                                                                                            MD5:918B2973A82BDA52C4AC8A09D2574E1C
                                                                                            SHA1:40FF2FBFC9D48610CA8334696D0A8292E7F98B2A
                                                                                            SHA-256:F43F46284EA5B51849A485A76D6435B37D830EDACE7C3FBD461703A24AD50CE4
                                                                                            SHA-512:41098F24BD33E89F72D4A5F4A2F07D9330C57CD36EADC7DEDB1F793C7C893C231320033BF87E28197EAD74667636444530180C57C78A4E9EE68575B86D285E3E
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..o...................................................k..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\bg-BG\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):65640
                                                                                            Entropy (8bit):6.573404012365602
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:6O9nxMvE5lU94Zs+uNQGChcfaEt5tHBB8spapY1KCcLJIaSgN8AzlaGEikcwsLzv:D9nxMs5lU94Zs+uNQGChcfaEt5tHBB8/
                                                                                            MD5:EB05AC049255AEC7D000FF9164B5C579
                                                                                            SHA1:8CDB9A4576EA58DD1C10F6E3426A01CDFF5E7E6A
                                                                                            SHA-256:ACF1548E834F32D5AC15B7B2393CA55C098F160222052B0EBF9BBB6B86E13DF0
                                                                                            SHA-512:20DEB44D7785D22B5B5787B5640D063DB48E4CB68C3B719C04B9E1BCA21AAAF46F471E6A580DB7C521A98BF2000D2FB02F89E14E81DBC3F18F4FF0600B527BEA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................08....@...@......@............... ..................................................hN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ......................................................}..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ca-ES\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.4892523851181485
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:3O9PKsQZAjb+f5g3GTGw9dLFqH78Iu3vwUT/aDXeX3iqeVQkiO7imZOEikxgsmzG:e9PKsQZAjb+f5g3GTGw9dLFqH78Iu3vU
                                                                                            MD5:0042BCE2705220E9992DADEB9725B4B6
                                                                                            SHA1:AA3403D14D626E96BFA25807D437AFB70874B7BA
                                                                                            SHA-256:48BA5EB4C48A09339870E676668D46F1A91A12C7DD362C571B0DF8898245665E
                                                                                            SHA-512:61083CE34048F15D7737670F27551822C4ABC84A0021CEFE2942A35C5BBD88A27DD85A6678ED6377F8F041A3002AABA8D7C40623C2733365AAF7A17CF5C5633F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................:.....@...@......@............... ..................................................HN........................................................................... ..H............text...`.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..6...................................................2..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\cs-CZ\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.561446350526192
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:/O9CKHHlgdQ4L2QSW6YEcNHuSlMGtrVSL4rOeqDuseAT8HNQ3spEik2wsezBlZAv:G9CKHHlgdQ4L2QSW6YEcNHuSlMGtrVSq
                                                                                            MD5:8CD85487C33E93419C0B4DEF6256DE5F
                                                                                            SHA1:C1B6735FB85B9CD557E16286ADC0842302394445
                                                                                            SHA-256:CCCEDB9A5C9E8962EAA1AE49336911FE9B38402A77EB6F402C2E4CBD93C71887
                                                                                            SHA-512:C221DECA3F0C69C6D25F8709AA2501090CF5FE113D1764BA39D7EBD8EC9C1C1B281A8D20F586AD6F52BE17BDAFD58AF85BFF034592FE2A3F6EC4BB7F600F6B0A
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................S.....@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..k...................................................g..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\cy-GB\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60000
                                                                                            Entropy (8bit):6.521529157814906
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:kO9ADi+BGe+Yj+fEligSKm9qI32i3loAECsedjllekCRf4FwpL6pTgskpEikhQsS:R9ADi+BGe+Yj+fEligSKm9qI32i3loAa
                                                                                            MD5:E30390D70C3D4089E674A6A1E953AE77
                                                                                            SHA1:5AAA7EC14E8BF4FAB1BDE339C67E97D0D5BAEF4A
                                                                                            SHA-256:D48E430A4641A2659F425E07EE20F1B7047A958AB3500204315E681F98712199
                                                                                            SHA-512:9E1755C9B874CAB0B7375700289535BF39303275F4AB46DD4B2694D8C4CB8EEA93C0F4ECB267D419F9A43C69B3DA7654425867836066A16494A80A11470727B1
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................K7....@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\da-DK\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59488
                                                                                            Entropy (8bit):6.519135032255633
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:8O9Nhjxn9FWv4GByP5KpHSnLbM9B5vBmGOv0/kOeR/1OgBly2bCx4EikxgsCC4dj:p9NhjV9FWv4GByP5KpHSnLbM9B5vBmGE
                                                                                            MD5:69361950F536EFCB3345972BD44A788B
                                                                                            SHA1:11AAD570C143AB9C2A3FFB9D8F12D6C7376B8291
                                                                                            SHA-256:4778D0F95106388141E524649B5E9D365626A1F00A522D6F0187B4413E633021
                                                                                            SHA-512:024965A5B9FA7451188C4EF63E95840AAE9122935DF35538653C2E66DCEBA40C8DC77686761AD53FFE25AFC1479ECCF5105A551E11BA2D80A9C88CC5EE929235
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ...................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\de-DE\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.501050121893406
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:6O9P3k0b/0/IDJaXmsl/+ToOLWiXp3n4bydq5inL+yPocyx+q92nYHYHzB2iHG36:D9P3k0b/0/IDJaXmsl/+ToOLWiXp3n4k
                                                                                            MD5:82C5114A1BFAF242A09136EC943B30F3
                                                                                            SHA1:0CD51F2771F1B6F12F770C510B1A491177334CD2
                                                                                            SHA-256:665981F1234BFAD8C0108D1C7ECF5097C2EC918D9F164A4B7F8269A43C55917A
                                                                                            SHA-512:FC8638592A7FE0114B8948ED4FB3EE9EDDC20AEFA16C8741D8A706E7A2CC8186E50EBD7E530D1320AD9A80A2A9757CA36140BF3EE4DDD03D0D33A87078783820
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\el-GR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):66632
                                                                                            Entropy (8bit):6.59091502517811
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:+O9OCfiY82Whhf/Oaxtz9dgqn1LsIOYCZx/QxJHDv+sBkzKJMPYBj8UHNDoEikcj:X9OCff82Whhf/Oaxtz9dgqn1LsIOYCZV
                                                                                            MD5:7FE494D6AF0B9325257186DB2F2A5B3C
                                                                                            SHA1:B1BDD6D3156FB5BE8CC7C0FEC22F85DF8F5F3887
                                                                                            SHA-256:DE2284A8BCBFE4B747AE0A53BFB8055791BB2AC63661581C76278674199A05DA
                                                                                            SHA-512:0149FC3ADBCAEE5C710EF05E3B56D5C39577213708485BA045FA3F8223757B7078327B080932593839548DF46481CC506898A4DF63A9F92E3CF650237EAED992
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\en-GB\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):58976
                                                                                            Entropy (8bit):6.513267731001312
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ZO9jlXq39V7UTJazmvWyBmehkkSgwgt7pK1Iq6lDRyFxutpLdcIkey5ZvEikNQsP:k9jlXq39V7UTJazmvWyBmehkkSgwgt7j
                                                                                            MD5:A35042A4DBD03ECE06C1E77A060ABC61
                                                                                            SHA1:F854516FA8503BBC42AE13D484548B82D298642B
                                                                                            SHA-256:373857D0601291C5A931F24E44C55DA79E8ECD6D20FC1F747001F3CC07373D60
                                                                                            SHA-512:3996ADA54AEEA1C1C83535E5D7CA3269340DD7F944DE8B92E274A808350DC513683EDA368135814A9DBE1133A0238A34557DEDD98C9921AE364E9A95EF87C026
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................u.....@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\es-ES\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.497159783858232
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:YO9PcsKNcG6/SfNsIpERGRBPvJV50ATCaHC1B4/QYfsueQ5amCVBjEik7Qslz0ZW:l9PcsKNn6/SfNsIpERGRBPvJV50ATCal
                                                                                            MD5:2204315EF94FB761A9881358A5E76A24
                                                                                            SHA1:23AA21968A31225F55DDDD05786AE3229C034721
                                                                                            SHA-256:790BDA84F8558D880F31BE0D2623BF91B042FB887DE7BC34838B2A7B2F809E84
                                                                                            SHA-512:6C85AE675793BC5692310076C70BFA6E58FC58485FFC3E61815CEA124732B5C70C63C9385E6906F8296274FF021EA4C97E4ECF74CFEA6417438C74747A2864DF
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................#....@...@......@............... ..................................................HN........................................................................... ..H............text...|.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..S...................................................O..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\es-MX\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.496671021509118
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:IO9PcsAbAUxcRLSpEebIfb5lG2vuq9o7UtIbQrZuGl2v/+/UAsO8jEikKAsNzrZL:V9PcsAbAUxcRLSpEebIfb5lG2vuq9sU0
                                                                                            MD5:D55D270FDAA1438E86CB88A50D14307F
                                                                                            SHA1:A263D5CC55A46E6425BCE9755EAB5C71CB130015
                                                                                            SHA-256:E043A91947011D2A147E65CDB2740632D823E16D41972C0FEFA5E8292CE2404B
                                                                                            SHA-512:EC83C29D02D75167562E7B7258FB522DD6A6F37C813F71E265F9D59610F5BC3886965647806F7E58D75F48F3646101657B5CEAD58093DB51A58802C727706F2B
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................q....@...@......@............... ..................................................HN........................................................................... ..H............text...8.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......`...............P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\et-EE\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59464
                                                                                            Entropy (8bit):6.518455229340612
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:YO9pDyWBFils6mKaFq1ZU7iPZn3VfrsYaInkpxOM8zrBwl0xvWbiLv8LEikkwsO8:l9pDyWBFils6mKaFq1ZU7iPZn3VfrsYo
                                                                                            MD5:C9A8FE2E0F679F8463B88547C27255DD
                                                                                            SHA1:C3AACD5338702F76A1BBE8577601850AE96FBEC4
                                                                                            SHA-256:25D3804E16CAF591F113CF8F88FDCC2C7B0FE2CC86F6E443B0FB3B87E3D9B5D1
                                                                                            SHA-512:2DE3028BB76C51E15ED96BC6654C0E8B14548BADB45AEB3719704B51B7532D7CCB4D87CE21C5ADEF5A1E9A50B356F9D4A64BC46EEE9DF61AC46296C1CE07300B
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................i....@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..Z...................................................V..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\fi-FI\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59976
                                                                                            Entropy (8bit):6.5124724749609975
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:vO9WHroG73/MBcBgbQtAIceIZJA4qErCGAqNDEvu/XcgKErjRfxLzqkXzEikrgsg:29WHroG73/MBcBgbQtAIceIZJA4qErCU
                                                                                            MD5:A101FD35F9452436479CBC0569AF5F0F
                                                                                            SHA1:A8270B69B7D54BECD4814E8436AA316EC96D397B
                                                                                            SHA-256:6A8A99D5DC4CB1A0F62D87F8558C6ACF375DE8D696C46920A5FD400B3841D4E0
                                                                                            SHA-512:422C3989345E5E343205433E5709135573ED50AE18DBAC33F9A898E2CDDA65A2CE53DF9A774CF6CF92650057E8BB049B30DAF8216D263507FC20B18357E8959F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..V...................................................R..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\fr-CA\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.501505785175988
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:9O9ADK9GGZoFZbcS0PFl8SJiJS4+X2uMd0dSBb/yNvd1SiUU/GpgYCv1Ny7iwEi1:I9ADK9GGZoFZbcS0PFl8SJiJS4+X2uMD
                                                                                            MD5:43EBF6698E8ED6E57A8A3FB079F718CE
                                                                                            SHA1:D282791F153159EE4093CB2424DC52C2E334BB40
                                                                                            SHA-256:A3A951E4BED1FD9F001A20886878980EDCCA336CC50054B1C9CDE99A2D2F2533
                                                                                            SHA-512:0111ECFA04BE397A235F2F1549046831577676F90984F34B1919AD1B8B6CA5D8DCA8FCA5650DB99B85253997BA95D6971B43650BB29781EE64BA79B2434EB096
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................W.....@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\fr-FR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.507124752707679
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:XO9ADl++Qh8hF3dLNbJZIeiVFbdQ9cBxIjfwjRGaDZng/7HXwpJjAvvhYpvvFi/N:+9ADl++Qh8hF3dLNbJZIeiVFbdQ9cBxq
                                                                                            MD5:B500AD907A9F4E95314179A34DEC75E7
                                                                                            SHA1:DA22B47E32D7DE1D8BECACF2392CEF47D3460977
                                                                                            SHA-256:893EF5FEBF0F7118E4E7A6EF18A521C6A85A390FBDBB03E19754E83A60841945
                                                                                            SHA-512:4C88E4975E5A375FD8E958B57BC400796540CE80F9B393C77624C0652BEA26B113AF9136B43FD2B7C5BCBEB5382E73EA93743B8F58DB3BE022921B52E2204F55
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\he-IL\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62024
                                                                                            Entropy (8bit):6.56914871344235
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:lO9CElFACr31NvYOv0ffLE2WGNFzw9mgCOppcdIUX/a9BcPF4O9M6XPfEik2BQs+:w9CElFACr31NvYOv0ffLE2WGNFzw9mgX
                                                                                            MD5:4BDBF1DBA1B7B321E15265EE6D7E7195
                                                                                            SHA1:53708179AABE57782275FDDBD5DC03133CF3FE13
                                                                                            SHA-256:A880CBAB569A1A1B79FDD0BF22AABEB970ACD52B7F8DEF9930C8FEA4F2119888
                                                                                            SHA-512:D825BC8A138E5C70FE7E3FC242DE5E03C653C6CD5A97E9D26B29B1294ACD4A74FFD9CA8A3E31B33936A390DFC4E4CB630EC3FD055AADB6CF6BEF9EE958124377
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P ..q...................................................m..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\hr-HR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.500655599661843
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:nO9dO2GxyJQPMKJUlRKXQu+aOdD68/8aEv8Fez74mwBxG211H/KqIG1EikRAs/zN:O9dO2GxyJQPMKJUlRKXQu+aOdD68/8a6
                                                                                            MD5:A17F101F048C7E157FE53D6C533D298D
                                                                                            SHA1:D3D3D09BBBF7269A269368818A039E7EA5779CD9
                                                                                            SHA-256:FC5560A78421EB40350F57221995647C8136156ECC81A8A8E9C1081FD07FF038
                                                                                            SHA-512:F79F07492674C88AC76EF3966C38BC5C7C1A2190A6A5778B5ACACEB8130476FBE7C48C8CC3182663ADC61FCD4BF0C3342EA7CD2147BC6D87B449280F5B93B8E9
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..^...................................................Z..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\hu-HU\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61032
                                                                                            Entropy (8bit):6.545333848393183
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:5O9PebzfDSD12NfIBLCOP8mTtzDd0Wx4Ky6Vlm3KlbcGUYTo1f8Q8ZOQXOQ8M0Qb:E9PebzfDSD12NfIBLCOP8mTtzDd0Wx4i
                                                                                            MD5:E3C3CD6A7D0B5BE8FDAB1353EC88E841
                                                                                            SHA1:25F66AE84F3804709441812F9148CC3638F44ED9
                                                                                            SHA-256:147FC977F5955EE8ADBD02DE361444D7EA76AA52C3F376E817D0031A1798586D
                                                                                            SHA-512:0740D73B3E3AE434119A852DBE23295407547CC45A015B5C41E32AE7D2F9681A8681D6BA30224D8812693B2EE6A8C33C28C0B9A6E1EF6305CCCEDE435FC07898
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................hN........................................................................... ..H............text...(.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......P...............P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\id-ID\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59464
                                                                                            Entropy (8bit):6.487928672817359
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:zO9NagPURiGTqSzcnYzsdxAeetb2YHEKTtWA16o3vPjBjtLP7bUcEikkHwsMzEZv:a9NagPURiGTqSzcnYzsdxAeetb2YHEK5
                                                                                            MD5:E63026CCA00C40945973E40C060537D0
                                                                                            SHA1:0B734DE1E644FCA3B91817956079187F107B88CB
                                                                                            SHA-256:8AF427016925C688B075C8E6621F8141B6CD47C585CD2AEB1E6029F27BE881C7
                                                                                            SHA-512:73CF03C490732D18E94A0076FC3F4ED0B3E20B9FCFB46BB8AEB3FC25F7D3AE38EFE51229170567BC8735AA986A49D4FD06417EA66DE5BF48106AEB50992414BA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................Ga....@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......,...............P ...................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\is-IS\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59976
                                                                                            Entropy (8bit):6.531167197804544
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:aO9WAqYD97mcB1jaIJB8E3rTYSXxVG12uonduxkeU+BJRUJsQVr1q4EikrkwsOzf:j9WAqa97mcB1jaIJBP3rTYSXxVG12uow
                                                                                            MD5:00F47F64738E11F38F72C6C82FCB84E1
                                                                                            SHA1:1F55D1C6BF1378CA0E8B564E248C2483A59FA07A
                                                                                            SHA-256:49CBA0B6AC65DB3176B850D610055A6F0897F121E1DD6FEAC1F419986627AE24
                                                                                            SHA-512:1B586222146E4897E9B3DF351E9AAFAC4C80958629F1D255225C265B90F7DAEB4DDD9273E8944E08D19BD6278AE49A650B2042F9A7C2D62193131F1C31392883
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................t....@...@......@............... ..................................................HN........................................................................... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......l...............P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\it-IT\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.471403653759095
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:sO9P3y5h0Fp0NK/gRcFvoZ4FKKC2msifHLrEvI2UzpCwqPZHas2dyHrWEikrQws3:Z9P3y5h0Fp0NK/gRcFvoZ4sKC2msifHf
                                                                                            MD5:7024B9BB3F91080CE12B744352561DBF
                                                                                            SHA1:C971444A6DF7F332FDFED322F764DB15EBD398CB
                                                                                            SHA-256:4037E573F2D03C612B1A18EC231B66291722096B9CA9BF5B9EA6387EBFEDEE35
                                                                                            SHA-512:45B4CFFAF77FCA07DEC8EEFFDE6B43BF1F1D54FFE16C66A7F2002E89520CE412243844AE275A01218A7C0767339467731420920C4C943574AB3A6D52919BB6A9
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................n....@...@......@............... ..................................................HN........................................................................... ..H............text...T.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......|...............P ..+...................................................'..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ja-JP\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62048
                                                                                            Entropy (8bit):6.68305367310075
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:EO9WeuzR+bLcQmuGuRuBG6v7yM5uGJ0HIc2N37cRAoXDuII5ZCUaRvEikkgsRzzP:x9Weud+bLcQmuGuRuBG6v7yM5uGJ0HI4
                                                                                            MD5:07440CAE8E6B27E2BC26386AFDDB70B6
                                                                                            SHA1:76084A1A6A5B8BF6BC688B0D88228F422AC07144
                                                                                            SHA-256:1EED650838D7C0BBEBDB83A1B8D9997D2012FA6E1304E2B7BA6828AF6115F3CC
                                                                                            SHA-512:C759918FF36CEAA7F1F9F4FF22D1AD578E1DE997E0FEFFA005801693815E2F8D1E5200B1975BF4711D5A20067FF72E31B180A504F927E80F82F5F9BF1FFAAF86
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ko-KR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.6739946564864026
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:hO9WAqhvGiu7WCbAfU8Uvg2LKhiM3fYzsKNLz89SghOD/4Ke5XzjEikwQAsAzyZO:s9WAqhvGiu7WCbAfU8Uvg2LKhiM3fYzU
                                                                                            MD5:356873E063BD208A4D216D5276990B49
                                                                                            SHA1:78CBEE7DD690AB66760388D5334C4A4EABE95438
                                                                                            SHA-256:D583A30A4C38711ECF4CE369D153994297705086E264C5D083A0D9BDF016F980
                                                                                            SHA-512:EFBDBEB5569BBEC794D259263129246DD125CE338D2C7225D3DCDFF8BE5685F8D035C567C6E9C78740C7DB7610D1F423D55CC5B12E8F9859A6F1581119F1D392
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ............................../.....@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......0...............P ....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\lt-LT\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.537260960859277
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:vO9B5vAqvshLrR3gUZO2A9oclmD1tdDnpRmtQH2QKDTLXosU2ex+nuYEZEikg9gd:29B5vfvshLrR3gUZO2A9oclmD1tdDnpe
                                                                                            MD5:D02761F132672E5B23C669A12FECDEE8
                                                                                            SHA1:4EDE1CDC961CB562E26D895304EA15DC7861F909
                                                                                            SHA-256:37B47B96EF781DC85D7D16AF45E9CCBECC621BFB8829F3E7F5675DCF30787C0D
                                                                                            SHA-512:0B896B49011A6292ACCBA5A2C2E6AEF9144889A9EB57E37C55AFB2DC11C861FCBCD363C05833F1F3D9E3DF70CD77CBDB5022A1D8AE1B56DD2050C2EF46027251
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................@f....@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\lv-LV\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60000
                                                                                            Entropy (8bit):6.550250140012729
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:NO9jvyffWGiHpdYq84Ae89YJTrjz46UNhNnkGzColMa9TJERMCx+Eik0QsAz6iAY:Y9jvyffWGiHpdYq84Ae89YJTrjz46UNu
                                                                                            MD5:3144EB325CF91713A398CADF793050CC
                                                                                            SHA1:DF26539AD41F2616F7B19A852058AE1057955CA7
                                                                                            SHA-256:79994B09E068AF6A30EAD314DCF59D0DD0F76AFB628108CBFB20667EF04487DB
                                                                                            SHA-512:BFC3BC6AC117435C1F2ACF94417368873502C3DFF6C838273E3BD8D91C394769F2390CA3766FC241CF2533E6593609606272CBF0413ABC75435F1A9AAE4DF2C4
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................^.....@...@......@............... ..................................................`N........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\msvcp140.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):575080
                                                                                            Entropy (8bit):6.521129188359906
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:VUfve/yP6vdqumz2etG5ePx2Fl5/G3XLSNuDaQEKZm+jWodEEVfKF:VPbl9G32UDaQEKZm+jWodEEBKF
                                                                                            MD5:80B9E0B8F82ED4FA77504E8542474E62
                                                                                            SHA1:7A1AB5E2469F66DBB55AA559EEABC802718AB5DB
                                                                                            SHA-256:48E9CB77BFCC210DA6908410C9D604EE5401DAAFCD18A6EDC8028FFE2296CC0B
                                                                                            SHA-512:EFA6D3B877E4809E4EA0903EDA6D500E7227EB5FE034163D3E9299CCADAFB41B2D42E5CB00B015F3BFF46BB302DFC9789E8F60C020D1E8C61817D4F47DC6B9DA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................s........9.......X..N......N......N......N......N......N.U....N......Rich...................PE..d...c%.`.........." .....8...Z......0$...............................................Z....`A.........................................2..h...X...,............p...9...x..hN......0.......T..............................8............P...............................text...L6.......8.................. ..`.rdata.......P.......<..............@..@.data...p:...0......................@....pdata...9...p...:...0..............@..@.rsrc................j..............@..@.reloc..0............n..............@..B........................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\nb-NO\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59464
                                                                                            Entropy (8bit):6.506596897827211
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:rO9NAXZqHGnAfUPOMnwjxNK0/84Z1aBBX2dulK0rEyKpFbFK0qA5n0EikpAs9tEJ:y9NAXZqHGnAfUPOMnwjxNK0/84Z1aBBN
                                                                                            MD5:EB594ED6AAC282A630EC76A6C666568B
                                                                                            SHA1:CC9405D539AF74D6CBB2907169179B32E2E645D0
                                                                                            SHA-256:71BAE7FCF4BB8A311A91283AA248782C844D9227DB6E1FE04E48A4CAB14AC526
                                                                                            SHA-512:BD31CC0E98DA09876A79C0FAC14C0C196AFF161E96765B4AB347208AE11C4E19BAB15D270C319F3ADE3D8B00FC11946DFDCCF6BF2783F44D9E663895017FEFF6
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................=....@...@......@............... ..................................................HN........................................................................... ..H............text...h.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..@...................................................<..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\nl-NL\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60512
                                                                                            Entropy (8bit):6.489311459832048
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:WO9PR9q4u0ayE7tbVTGDyl5lr41AcUV3tbUe1FdFYWssYYzTRo+0W+zmtq6+D+rn:v9PR9q4u0ayE7tbVTGDyl5lr41AcUV3L
                                                                                            MD5:BD45CE1BBD7F5130195DBD73AD56E606
                                                                                            SHA1:5A817D3AF42A2354FC668BCD4FDFCE0DA0D35570
                                                                                            SHA-256:D02D2FF4F09DDAF6037396B99D25FB1FAED784C6C4CC2170D148E837394BDB52
                                                                                            SHA-512:64478405C87E625E4870A6ACC183625BD8DDE212B2A09A71A7A6E37C2849296D74A70A1E3C4AB09118BA2C800591B820AA842251CBF2DF87EE8FC99009028976
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................aa....@...@......@............... ..................................................`N........................................................................... ..H............text...P.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......x...............P ..&..................................................."..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\nn-NO\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59464
                                                                                            Entropy (8bit):6.514600219985342
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:MO9NlqiUFxfhZjVqvA/hIlCsOdLM0SB3b6RCJmwc3fF1p3Ruoh9lF7+TmuB/BYSw:59NlqiUFxfhZjVqvA/hIlCsOdLM0SB3w
                                                                                            MD5:DB3654FF3F605626B6DCD8FAFC855E1D
                                                                                            SHA1:2438FABB623F8DB213E12B483C050FDC2AC71567
                                                                                            SHA-256:BAB4A85FD4251CCA4F6DFDE973396CA574D320BA0007BAFB5BAC6617082CD1FD
                                                                                            SHA-512:24E47F36164742E83DFC58F3C08B1BEA712C92BF51281E2ED310010DAA0028286BEDBD1B9DF4DC6EBA4E77E62A23CECA45128851EDB0FDA222520C67B50AD0AC
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................j.....@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\pl-PL\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.5286663954726745
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:tO9YM3z1nR8zMuKIJycvcygytrpu8hYGNNxYjEF9dmPTKgMsGRissxEikiQsjzpp:49YM3z1nazMuKIJycvcygytrpu8hYGNW
                                                                                            MD5:2F6D6BF4F97F9FDF61FE4B9247665AC7
                                                                                            SHA1:30B23726BB0006AC28DDB0D5D2E0B7936D50263C
                                                                                            SHA-256:C617711C87A7202A62275AAED8BE5CB7BF5EE8AB6C12B18A830B22653D44F1FF
                                                                                            SHA-512:2F74D1A5003E8F8CF504AAC062BC9F7FA1BFD1E846F8E02DAA5CA6991D576755D83C0B14F90F1BBF6DBDF4B85F5DF945FA4A13DC849982A8BFC31130C6870273
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..b...................................................^..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\pt-BR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60000
                                                                                            Entropy (8bit):6.512637538205462
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:9O9PD+Ztk6ONWg3iynOs5U1jkFhKwKH/PIPq7tzZtq93YcZ8+gGRlEikIQsVzvAf:I9PD+Ztk6ONWg3iynOs5U1jkFhKwKH/T
                                                                                            MD5:8C9EB5AFF7D0004D30947C194E25ECC2
                                                                                            SHA1:959EB3185D0466563B5ACF81D523E66B2159E343
                                                                                            SHA-256:B99AAD3F2F2318CDD199582B671BC3DC3B3FC6EED93B58197A08EE4DC4F3B9D8
                                                                                            SHA-512:3052152934E817301E4F9A5B53A025F659BA736895BDB1B5F477F338D4F50DF7E98ABF4F11AE3E7DF614F57B9718A66FD62E44FBA34C4C09F557FA0C8631B12A
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................D.....@...@......@............... ..................................................`N........................................................................... ..H............text...|.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..Q...................................................M..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\pt-PT\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.492692129735815
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:qO9P3hKCp6OYLZur7K/Wwtzx9RA8YGsBo4bUxOhTeiuQKYGasX2qBEikWwsBspz4:z9P3hKCp6OYLZuXK/Wwtzx9RA8YGsBo5
                                                                                            MD5:8D810F97C5E04EA5CC87E2C8044D6DF3
                                                                                            SHA1:80C1EF7C2F54626C96B6B192662FEE0CC0551B84
                                                                                            SHA-256:D45D72FA2F69646E368DFE35F4796AC0CBF81B1820F5CAA33B15BBD6D9CAFE00
                                                                                            SHA-512:98FDD764AA6682A6AE434D1FE7202F6E2E776FED3142E4AF069704D05CE35EEC1C0B40BD8210BDE309A3DA1E2C2A2ADEA5D377F71065472EF4C760D434421051
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................n.....@...@......@............... ..................................................HN........................................................................... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..K...................................................G..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ro-RO\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.5227816765189095
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:aO9PchEfYkIl57Dr3w8Zw9XS+xd2XHsdlEhm5AtmxhG7TcFzCQOnwxEikrgsmZzp:j9PchEfYkIl57Dr3w8Zw9XS+xd2XHsdx
                                                                                            MD5:BC13EA7F2F6C6488B93EE84A12A5C67E
                                                                                            SHA1:128393D9F9B3D6E6C14232620FBAE67AAB45FE55
                                                                                            SHA-256:29D108F22CE4B6AA310AFF0420DDBE6F085381F4EC5E208E1106C9667CBD8694
                                                                                            SHA-512:38C7289F2D367D29DB10ADFBFAC21BE26287100CA6F34285B63A3B701694088603192890750BD0DAC5171738C7C1E47AA0A8A2360E7682271695973CDBBC7742
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\ru-RU\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):64584
                                                                                            Entropy (8bit):6.607514539190837
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:nO9MFcYvxELwVgZIvKsk24cxu1XVwNCMRTid1j2rIgfdqI5TOfHtUI8EikGGLwsV:O9MFcYvxELwVgZIvKsk24cxu1XVwNCMQ
                                                                                            MD5:5EE803D67F4C341073334A062DCEAEB0
                                                                                            SHA1:B09E00E0BE185271E40488C9F1C6C4FF407B8C76
                                                                                            SHA-256:FF8565E4040DFD48EA209456DD7C54F92CC171F3FAEE6235B366B8B8FC14AED2
                                                                                            SHA-512:C21FDE21097FD9E7E82CBC6F726D2CFBBE3D2B97132AEF6812CF33BA3BD856BDB86EEC504971BB6E2FCDD91A84F4BBC936BE8E02611ADC32E2C79F7A383DF753
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................HN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..a...................................................]..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\runtimes\win-x64\native\WebView2Loader.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):151144
                                                                                            Entropy (8bit):6.290559037571387
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:X/bzlLd3z9vuTuKTVFfXaRg2eslTqEtBOx31dlEEW:td3z0qKRRX9Etee
                                                                                            MD5:AAFD0A37DD5E306CE6C049D998DF1ABE
                                                                                            SHA1:C1E60170F45B5FEC06A2708DBE92D6A0EA79F828
                                                                                            SHA-256:6D4E45818E68B910A35EE49076B7C058795BA0AC06AB9D4F9AE39B72B13A0292
                                                                                            SHA-512:C4D023CD37EF87C2DD2EC10B996D055E3B9A52CC5EE0AD555CCF5765D2BE1EAC99E647CB975204E3B4C70D776CE5A35E65956ABDAAFAE00600FA89D5FF625D40
                                                                                            Malicious:false
                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......a.........." ................`@...............................................^....`A....................................................(....`..................hN...p......d...8.......................(....1..8...........`.......(...`....................text...e........................... ..`.rdata..<....0....... ..............@..@.data...............................@....pdata..............................@..@.00cfg..(.... ......................@..@.tls.........0......................@....voltbl.>....@.........................._RDATA.......P......................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\sk-SK\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.55399526567631
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:frO9gebhHq+ugsPXU6d/ic7SFgw0FAAgWwUT/8IS5RhOYPi5wt7DnTEikDwsQC45:a9gebhHq+ugsPXU6d/ic7SFgw0FAAgWK
                                                                                            MD5:B04010BB25B1AC49817595E2FEEB6267
                                                                                            SHA1:DCBDA104C5112E60BD0CE07D114DFDF03A5445B8
                                                                                            SHA-256:1DACFA2C3100EB9D635E5D6DB5E4F72B451F0175712F62169D3877C454F15B0D
                                                                                            SHA-512:BCA41D6247A724AC8FFA11A1E6108469DE22EF6B71EB679666C680FB347E1A23FFB5522C8C5E69D061F75C2767E9EC1CED6F8C62814F06497D7FE31EC27D31BD
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................m....@...@......@............... ..................................................`N........................................................................... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..K...................................................G..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\sl-SI\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.5077376831024445
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:5O9mF2xWvZr5ttPBV5ramm5IgejsnMniPqhm+HFZUI8L0CmJ67V86o1/7EikS+Al:E9mF2xWvZr5ttPBV5ramm5IgejsnMnim
                                                                                            MD5:04D6237AAF39CC1B60A8DDEEDCB8B118
                                                                                            SHA1:81D860BD18C4BC020ECC2C794EE3610FD2DB6F0C
                                                                                            SHA-256:263411C49C7138CD813093CA7BE23A01F8B7934BED41133DDF5838CBF47EA2FC
                                                                                            SHA-512:9E775EC5F197921632E9D65D2F25A83F8FD25EFFC3381D6816C3A8A256C28B3C485491D3E20749E4F962EC36D567E0F080FAE2992A60A5571BC580E647E235EF
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..^...................................................Z..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\sr-Latn-RS\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60000
                                                                                            Entropy (8bit):6.509192080147688
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:uO9ADvQ094ML8I+w2zbtseqNaio1KHc4hUyFE4RlxgCwXVn03mO0OHk0Eikogse7:H9ADvQ094ML8I+w2zbtseqNaio1KHc4q
                                                                                            MD5:AEEC00A83C3FBA182F9A931A0A0C7F2F
                                                                                            SHA1:4FEF5D8CFC73550A92036CA984360871E2272721
                                                                                            SHA-256:651DCA613FB0141E7A0AA256D5856F6114073B344A91A614E68B1DF1F87C887A
                                                                                            SHA-512:D54DC3B0FF39C213ED771481441C3C7D689F457A6632BB4BE38DC50EBE3970F6CB7697A535AE8296A5789253720A229ABAF2A2129FA4577535E257E1A3829D78
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\sv-SE\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59464
                                                                                            Entropy (8bit):6.533113744944594
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:xO9NbIMAwsK92xi/p6ZCXczFy597Zh3ndpqW7A7MlN9XXW0LlTcE56HvEikDQsrA:89NbIMAwsK92xi/p6ZCXczFy597Zh3ng
                                                                                            MD5:FF9ECD9B097075575B6B0B71FE7C8431
                                                                                            SHA1:C1D67459FCF36A5DE54FA88A8195F9A41F4F7E09
                                                                                            SHA-256:F18142E0B49C0BBA9E3F16C45179E5F86372C0EA9199CEB6F95875352ADE5EAD
                                                                                            SHA-512:CA32500A21F91762C3C8E8C3935C493D780262E5E5DA27E031A7DD1BB410E5E5774202BA1DB4BC7321B5BC64310E1F4F53E31C84FE38937DE1B1CAB6FA8EA5F7
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................T.....@...@......@............... ..................................................HN........................................................................... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\th-TH\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):69224
                                                                                            Entropy (8bit):6.490605086681413
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:QO9f4A05v/3yGE0k4otwhknztUWCH34BsBrs+9XgaCTK6pO3/SNmKWREikrwsmzA:99f4A0533yGE0k4otwhknztUWCH34Bsi
                                                                                            MD5:3E5B1BCE67D4B752BA5C5849DFAB2500
                                                                                            SHA1:070C92D43E04F7FE17E617B7885D0E4DA09CFDDF
                                                                                            SHA-256:6DA0C2FA24300190CBE93EDD1EE7D9D1BAEAAE5FE4E41485FA9928F93190FF63
                                                                                            SHA-512:9D4A640F9C9D1FC8F1402024F1080BA2BB669BB0522313BCE8D4E9BFD136DED3EB11447866F1856487DF6FA407FBA072D7D7B29F0FC538E7EE676775DDA69B9A
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................A....@...@......@............... ..................................................hN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\tr-TR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60512
                                                                                            Entropy (8bit):6.536989118356474
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:5O9gSA64YW8K4MZQ00EOS4Lhq4YFfmKAZ2tWD5WtcRxzkebFbrLyPPEikYAsZIz3:E9gSA64YW8K4MZQ00EOS4Lhq4YFfmKAN
                                                                                            MD5:ECD1472F7619D89326F308DABA8CFFE3
                                                                                            SHA1:AC4FE0B2501AF9FE2866F0D028C5FCD56768D431
                                                                                            SHA-256:9A41DEA86E5298CAC5F601F58BA4100DF330B8C342064ADE82F75C517A3B0CA6
                                                                                            SHA-512:497CDE74ED8A0F2C264895B27DBA345725EE35D886CF4530A2CFA62FD71A2B2D121A5E0A7900C890CE73EBE539B57B82E71FBD4C06DABCA68397B596770F9041
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ....................................@...@......@............... ..................................................`N........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\uk-UA\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):64072
                                                                                            Entropy (8bit):6.608282850162704
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:vO97noksNVY4yQM8s8KU9oTU9j6qImAdgM3XRPW+292RK/1BI3HkkKajOhEiknAz:297noksNVY4yQM8s8KU9oTU9j6qImAdU
                                                                                            MD5:91D5B8C378ABD54B49E001DB04413E73
                                                                                            SHA1:8DBFE4F8589F584D05330FACEA335955905E090C
                                                                                            SHA-256:123C3AC7668699DAC8D68E84E31CAD657244E5CB25C698525D1CDD1173D4C0EF
                                                                                            SHA-512:D0E689C099FF906EEB33B947E59C3753EFDDE762D3250F6A506C54179A2C11813ABCD7F99C7792E8072A6DE7DC6D31D27FA47A138AFCD827EC14A69FD405874C
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................x.....@...@......@............... ..................................................HN........................................................................... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......H...............P ....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\vcruntime140.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):107080
                                                                                            Entropy (8bit):6.637040413259322
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:rWD4eUp+HQpcNg0MFdH+F7fecbTUwevPGY:riPUuQpRdUNecbTUPn9
                                                                                            MD5:A973A87E053354B8E5BCA3940970EDA2
                                                                                            SHA1:74B0ECB1754C0590AC124DCC838A41FC55B34AB1
                                                                                            SHA-256:DCC03DB3271E2BF54D44A790119799DF9E217B73DB84578B24B5EC9F082E4BB4
                                                                                            SHA-512:8E256712E9D0FF1F328ED85BC7418238C5E65D11950411F437733FA9E6E554F079D25F06985BF7E443B2BC2E44B57C272327173566281CFE65CC7D8ACDB16640
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........~.[...[...[.......Y...R...P...[...w.......V.......K.......D.......Z......Z.......Z...Rich[...................PE..d...c%.`.........." .........^......`.....................................................`A.........................................A..4....I...............`..L....T..HN..........H,..T............................,..8............................................text............................... ..`.rdata...?.......@..................@..@.data...@....P.......<..............@....pdata..L....`.......@..............@..@_RDATA.......p.......L..............@..@.rsrc................N..............@..@.reloc...............R..............@..B........................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\vcruntime140_1.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):47712
                                                                                            Entropy (8bit):6.743964781245747
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:qdCm5nhUcxgHY/ntXBzxvbT71oel9zu/AmV9zi:qI1z4hx71d3zMAmnzi
                                                                                            MD5:34798510935FF576CDD2516AFB3D5BF5
                                                                                            SHA1:98E6CEFC2C6761D602742DC23C024977ED71280D
                                                                                            SHA-256:AEAE775B321FDD5B2FDF88D4D21F8119C376D6909839671B35D8E03A04F6B609
                                                                                            SHA-512:F18FB3A2E4A82DF6B025E037D4A730B6985C212936547E0BF19D7AD76D7AA49B06162A773EB99664BDAF1A37932AA2CD35DBBEF83A89BA4C80505E820C3AC13C
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........k...8...8...8@..9...8}..9...8.._8...8...8...8}..9...8}..9...8}..9...8}..9...8}.38...8}..9...8Rich...8........PE..d...g%.`.........." .....:...4......`A....................................................`A.........................................k......<l..x....................l..`N......<...(b..T............................b..8............P..X............................text...u9.......:.................. ..`.rdata..P!...P..."...>..............@..@.data... ............`..............@....pdata...............b..............@..@.rsrc................f..............@..@.reloc..<............j..............@..B................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\vi-VN\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61536
                                                                                            Entropy (8bit):6.622372328119638
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:TO9gwu6Q6WwlEaDcQwi2kBPcJ5kGvxF825mb6ZB+D31jnVJvWf6Qjlux6+nEikSQ:69gwu6Q6WwlEaDcQwi2kBPcJ5kGvxF8g
                                                                                            MD5:906FB620C50C4C7EBFF5791603490271
                                                                                            SHA1:37AE916A56C30D81B9617F8503EEED3992FBC05E
                                                                                            SHA-256:2B58D9BE8E4F6C6F621AD28F590A708F5EA2C87B03C276AD6BFCEAFC3FD80135
                                                                                            SHA-512:EE656EC98D1C3CC2B570D8A187B3DC24DB9202812F75372D2A23820870FAA625FCA945BD8D388FD3511744003B236AEC5DCD675945C4E59FD0D3BF51E345F60A
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................6.....@...@......@............... ..................................................`N........................................................................... ..H............text...H.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......p...............P .....................................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\zh-CN\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):58440
                                                                                            Entropy (8bit):6.69454740850101
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:BO9WbWCHB/rkbEqBAVidKSlcZSI3+B0ncFytfjCqpXFBwW8jeFLd8EikKwsOnzex:M9WbWSB/rkbEqBAVidKSlcZSI3+B0nc5
                                                                                            MD5:CE1AD81DEDBF6F14A73ACEE060E2A1B7
                                                                                            SHA1:EB494BEB84E84FB1B2F9269623B00CF9D28FBD8A
                                                                                            SHA-256:6412546AAA0E1C24A8381520DFC495C6F9D7789BB912F8EADD48CC7325035E20
                                                                                            SHA-512:FDB847D2B021251CEBED07B437420CD94AAB1BD92B60C3873F33F1B68CD9B0D9A0287C34E23087074251629EA04B7B0F5FBB8AC3C530BD6621D2B601AB04375E
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ...............................a....@...@......@............... ..................................................HN........................................................................... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..BH.......................P ..9...................................................5..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x64\zh-TW\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):58472
                                                                                            Entropy (8bit):6.707560977053907
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:nO9WbWqDTFAyR6j4hxW50IEdIhR2Ji1paNSh0CvJaCuXaSQCHM7IXLDEiktwsOwV:O9WbWqDTFAyR6j4hxW50IEdIhR2Ji1p3
                                                                                            MD5:1330C50B0A761AF68E519A0BACD736CC
                                                                                            SHA1:7CC90128B38291F22A483A6F19299ADACFCD62A9
                                                                                            SHA-256:C859C796261C20575473A3B7680B0464BEF20F8A0E3C3807F05D4A360A63167A
                                                                                            SHA-512:BE5290A1384F90FCD564F94FEB2A614768806E224A2E71AC9ABE42289241485781922B406F8D484C0C485FF9778F5E6D43903DB73676C55DC33FD3D87F78C761
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Xf.........." ..................... ........... ..............................oD....@...@......@............... ..................................................hN........................................................................... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..BH......................P ..|...................................................x..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\AddinInstaller.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):33864
                                                                                            Entropy (8bit):6.6749170427672215
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:bgYy+J05SY3wauWD5Epw9z9gElzEpw9zT:FMcYgauA5Ep4z9ZzEp4zT
                                                                                            MD5:7F17A972A3F083FC309E93C9ADA8AA10
                                                                                            SHA1:0072330558FB6E91FE6801DE71ACF06A716BBA5C
                                                                                            SHA-256:98B6CD35884C8AE37F33196A132D0029100C0BA8AD2EE0C084A4870CFA832214
                                                                                            SHA-512:D2B924E1BCD5EB260B17CB58E527E87D6FA9E772088F95DF6369599D7C4FFA3866F83D35F6AB333667C129FA8AE9CEE781A46FE8781B37906A60AFC301EC48CA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....q..........." ..0..............L... ...`....... ...............................6....`..................................L..O....`...............6..HN...........K..8............................................ ............... ..H............text....,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................L......H.......\)..."...........................................................0..y........(......(.....(......(....-..(....&.(....(....,C.(....s....o.... .. .j1+.(....r...p(......(....,..(.....(.....(......&..*...........ou........{....*"..}....*....0..D........(.....s.....(.......r...p(....r?..p.(.......o.......,..o ......&..*........'4..........@@.......0..^..........&...%..\.%../.}.....(!....(.....s"...%rC..p.o#...%rI..p.o#...}.....(.......s....}......&..*........E..Z.......0..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Assets\NewMeeting_Large_120.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1016
                                                                                            Entropy (8bit):7.73830447681088
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:+5DjKVMPFXHX5S4wKHWKWZGmy/xRftEircOiO8UN7O3:+5i8HplNRmKtFPPo
                                                                                            MD5:E3B1BA3900BFFAE493B4463F9A6FBC48
                                                                                            SHA1:0BDDCAB7F9537F01900CB7A7AB0FBB1042E460E7
                                                                                            SHA-256:8FDE3D7378D0E9148068C3A9406D5BD754E93C9810FF5D2B8535FC2B65E0830E
                                                                                            SHA-512:8CA0A6304BD871B1F2BECCF6AF9CBB2EC97D05B233B9388CFC760B262509B8BF6F9B50B837D21018FCA6E8627FA11AE67F6AF49440A837701B4C9AE920585246
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...(...(........m....sRGB.........IDATX..W[h.A..w.5..4.-..PA....(*>@k.|..._.OA.k1.X........-..a.(..?.)...........hv.w..fw.... .Xf.>..s...@......z.........*..;%I:.9V.....B.>.;.$.@d.C@.%...W4.K.......).#.....I..u.Fr........8.8....z...UQ......$Y..R.n..#....L.9{.&M.h.6...P"zUQ...a....:.D..Nr.[.u...L.>....K."..'..t/..Yz....--...M.]...e..0.l....!.r./)r.].t..U!.l&...;....i.,I.TD.H......).S...D..P...sV4!.......K.r.|...... ....Q^.5P.VI...`'.........`...S.Z......?............`......9*....g..[.i..Z.\:#.T......2t).b.........Y..<.T...u.`...... \..nL.f.....3A....'7..zD*i-....r].k/Hfk....b:......@.k...,D.k...#.j..Z....@<...}2.a:$...Q.vL..u...o.Z..|I.r?.o.;..".8..{~'.l..fG3...x...W...%V.....h...!.;...gA.$.?F.w..Y...1!..yu.].....fW..>..w..).55b....D7..}.?...._...=.....".+..N.\Z.mup..p..d\y...r+........:..G.Q.S....>..9..[.L.@|.:..qMP8E.B......R7;....Pk..F.......s...N..F@.B.G...0...e.:....T....d_....i:.........5....].sa^.@!..#....'.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Assets\NewMeeting_Large_144.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1237
                                                                                            Entropy (8bit):7.788008184019191
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:GVwVpPtyAjoNiCkbbtwi0G1UA9WdK+oJgsQ6QVdAmwQATjZWwrpFbVD3r:E6FjowPv70tB/oJgl6Q8mXAT1XLr
                                                                                            MD5:6974CFC337BF190D728C6824EF94AFB6
                                                                                            SHA1:741DABA13F01C19518E2E1E72A93DF2C96227934
                                                                                            SHA-256:115340C0940669C7A55670F03737492FB86D5E34E0390E5664EEA3F9B4147B0C
                                                                                            SHA-512:679AFA5D417748680624314A6E5FF63CBF37D11BF5E95FD2D2114076F1DCD75196849EB39B1D456A8A5DB0019EF2C4C2FD61EA70651DAF158B87A69D8B017FAF
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...0...0.....W.......sRGB.........IDATh..YOlTE..f.n....Hl].' ..(.1.......$...&....4.&..=.@..A{C...`0.....$.@cz......m....7~....7......%....}...o...H.$.Ow..r..9'.CS...G.{.j...@F..3_.Bx\vc.`xx....g0..&'...m...\...(F...$/2...+.[..%y.(.A......sZ..Z...._.2..V......."[...SB.Y}....%eUV..@...V......G...8.Q....3..}...+.Rq...`]...\.U..yL.V.<.Z.{.1..5P/".&H...5.....D..x.:..m.b.....l..Gl..S.y....."...k.....cX{i.p..pFHtV.8..)....Y...,;U....O,XQ.*.....,.Z.Eq.V7....B.0..b.......Bs.....Z.........}..wp....E......U.......F..........av.#.!.../.......b..rG....E...ZV..W..]w...\..~.q.f.#...K(.2..bU/.L/.b..7?.....6Cg.y.{.R.......9.O..n..H....tYb....ZR.<.t)-c..t..... ..x../....;..D..k..D.....`.J3.d...m..d.LYi&..@3.-l......z.pE.T..Z.u..R..."P.(T......7.%.... ...9.%.....O..p..5..bQ.F..o.u.o.2.B.....l/...1.8-..e....B......|P.E....vZZ;.Pj...b)..z..r3..s~../B..k6}Z+.."V..[.......T.D.jA*U.n1.%f3:.Y..s.{..*..`I.$.....w..T.H...?..:X..OQ...b.N...

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Assets\NewMeeting_Large_192.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):1555
                                                                                            Entropy (8bit):7.805621612269991
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:xyPSt6BuLqrVii+xXSCLqmgDvjUEAkgoX1Amyz/zaY6pGtqPgmeAkG0ZZz:cPSt6G2iimqm+6kgDl/t6iEfGz
                                                                                            MD5:177094A528723CEF49FA2FFDFAB57CF5
                                                                                            SHA1:CBAE150EDCD83F2E9BB87A0BB86CF076EEBC41C2
                                                                                            SHA-256:66CD5E3CFC69AF5087D33C570CFE424B50935B01C27E618CA11822AC7AE6D1E6
                                                                                            SHA-512:AD9394116D2E132EB2BFF48F1AE4AB7AEC5B372FFD2B7B41E29CD8BF26C87725BB48D0C3AD85F7C3C94B4556872A06876D1E95F4AD8A0CF63DD949DBE350D8E8
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR...@...@......iq.....sRGB.........IDATx..Z]L.U.>..,.. .[)6<..b41.`..4M.>h..........&.H.l.Y_L..6..&ZiS./.'1....X...F)....dw.z.....30..:7......9.g..@.........n_..V.........]...9F9.?..2C6...u*.h.#.....?..19...U&....P.@_.R.#FY..&....P2~.....~..J..(../...I .y..Q.R3....Q.y....a...8)cwv^.-...?..6s....|....'Z.e:.4_..w....).Uz./\..........pG......N<...1.;..X.XO...a.../.OS.._.).... ..e...dz...*.....\././...u^..-Q.'..R..D.l...._1.5..G. ...t=,a..Bbz.+$J.BNB...V.&7.3....&,..Y..u..0w....}.......v?wv....TF-vN..&&f,..\.#5.....6=..p....y{3...m1....X.(.-VjqO..S..u.x...e..,......3p..."..`..@..0U.d.Le.,......|.....A.d.f>.......m.....{..T L......kD>.....K.....4Qv....J=...o;[...4d. .....O.S_...I.y..*...Q.\..><.....8......r.T.?3.eK.......b..~.@9.....ll......Pkyh...n,m..o.\..&.ai)YJ>E.......I......rWG.tu..ftl.^..R...O.Euu%.....&&K.......Hp.Lx.......*K....cE.,a..`.1....i.h*.5..*!.......7......u.OP.n.[o.A...;.6....".&..o..v.4(34tj......U...C...u...S.N....H.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Assets\NewMeeting_Large_96.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):821
                                                                                            Entropy (8bit):7.630755600269692
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:L9IW0j2BjoUb25MCbt+OzOGKynRHS/0psG7:LaW0l2Ut+ONRy8+G7
                                                                                            MD5:FAFBA571265B20E0EC4423FEAD972E1B
                                                                                            SHA1:B686D74FF48E3B990F0E312BB0F3AF4E8F53069A
                                                                                            SHA-256:1FB3B4832E92B1E2F998CD2FF4A872000822CBB897D869194195E5C4F8D43CD0
                                                                                            SHA-512:D0523CCC27436A80C5A14094AD244349EFE68FB5A813F97539C3025FCC1F05D6CEC9B8FFD04883E35BCD787A36901246687162B4B86717E81E747B2CF035DD2D
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB.........IDATX..VMh.A....i..$-j...C..M...`.T..A..,6.VYj.T..(....=.^...E.....b...4i$.I.....n....<5......y.fv....ZM.z7..Z..QB...t.V..cj"...gK...e........YI.>?$.V.^......ZF...av..cn....Vi.]P.(..).v..Y.P..s....D./n&YpJ..iG....8.Z:..._.......................~3.......Y\.T...H.J......n....c.p...x.n:....i>....i......i.GvLd....SRx5?.....3G...3...i....th.5...._..CGy.....R..q.I.>....\.e>x...#......v...L6OV....uR&.....o.#...y6...c...r,..#...B(..e:.K.6..:.r....+./....g..@..!....N.....=.H....#.....j.K..F.&6Zk..."......d....].Vl...IG.......:...]w$p.+...4.......k.j...$.ja}..x...(%.x.9|..a.d._0sy..>oL.....%<.0.C.....;..(.!tpb"...N.R.Nj..?.."...RH.......8.Gb.P.i..y.L..OMv.Q.o;....[.sQ$A.8}3..cn.!wn.N}..m..#x.'......jV...T.G.?[..3.)......X........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Assets\NewMeeting_Small_120.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):574
                                                                                            Entropy (8bit):7.347738166641519
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/7iHKcqzpeXnDvyEqCcmpZndaYcfyYCta8eq0NRFWBOfmcN274Gl2E7:6cqFeXDvyEqEpZdaYcStx0LFgOfzkUD+
                                                                                            MD5:503E86E4628933D17B5B41B4918D6C9F
                                                                                            SHA1:F884F45CF4EF5B435E554EA30F654F076E50BDF5
                                                                                            SHA-256:1C80CC98643E1D060B9443C98E9AFE663125398F7BB99E5BAB2C0EB952C9C111
                                                                                            SHA-512:22D115A09597F7A8CB0C5BCD0E0BBA55798D3A431B28EC27E9DDAA356BF0AF674BDB78E6D9A3911E2750354D42A8AD628EBD0A7716410360F6D1160258E12C98
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR.....................sRGB.........IDAT8.c`.....:.....o........'XX...*.....K.&.2.....`>........}....Y ...Li...n.......K....103.1pq..u.].. ...g........`..C.^.*......w...~20...k..4.....d>....0.Bv...~.....>P...A.dddx.. 6L-8R......lY.....>!{..k]8.._@.V.W..@1.&.2.f.L...S..f..L.`...'...Oa.@....f../#.....d........G...F!..c.U..-%..q!#.5d].V.G.2.........$....k....Y.....=V.8......8S....#J....e I.YOQ..)0.(.L`..`db.q............4|.(.s.H...,....Y+a&..r...D:aecm...&..q....Q{..[#.+.a.a4..]b.B.`|d.g...c..j-..L..@|../@'...........".D36.@J.........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Assets\NewMeeting_Small_144.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):627
                                                                                            Entropy (8bit):7.55832772949955
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/76fR8ZKPil+HE3xZKPwUonTJibKpwwCzc8oRNn/Dna+z:7R/PUsE3xZ/zsbKpcI3Dna+z
                                                                                            MD5:75713D844925AC3404D59C5D56DD996A
                                                                                            SHA1:88F0F5B5450772A85FD61FB5FD54C3A6F7E48585
                                                                                            SHA-256:D4746496079E9C334715958852FA8FB59E54DBDEAD19D83001FA15C1793D27B2
                                                                                            SHA-512:B60E132BD5251084B2C7A22591D72DFDFEBB7A24987ADB8E78CA345694F6043C1F3C7A9205B6052CF3846FCF33179506BFF88C1D1BC8093A7563CF150EC5D30A
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR..............w=.....sRGB........-IDATH..TAKTQ.>.7.o&.Y.e...ZhJ..\..-.6AK.@...b.+.h+.. .].m.pg.m.. "....7.x...;...6E.....|.|........&.@..../.....A.[..}...p.Y..Y....j(i_c<)...X \.nq)......OO#.........I,......-.....].4..d.!.....,..Q...vu.-PP.........|.Q^t..@.^..dQe....^/y..'....mA....o.h.....t...x.........A..?q...>....<..#g...S .\..kko.\....l.).L.L.7.l..!KwbP.?" ...?,.w.q-....y.".|.O....Y.4..^J....sC..Z.;~..R....8)H..p.....L!.......[^k.+.u..w.4(.1.Z..q..G.AM..{.gj..L.b.\...\.m~..N.<.f..........Y...K0J..E..^.....D)?..c,.../].p2..1.2.D_u.s.x}...?TL.?~..;P..(.......IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Assets\NewMeeting_Small_192.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):875
                                                                                            Entropy (8bit):7.664401472706693
                                                                                            Encrypted:false
                                                                                            SSDEEP:24:MnF5WncYHQTt0feBgmzpRjRqgnoEmDDxM4xr8LTdIDg5X:MFAncIQhee+mdlRlTmW9uDg5X
                                                                                            MD5:F323D73771349B6374462B8A4B708D83
                                                                                            SHA1:39F8860AEC7AC9FF8DF80C770A23F3AC8C3BE4A1
                                                                                            SHA-256:EA0327CD2D987CF069747F70A317E552C0304170177101AA578F04D2EBE9FFB6
                                                                                            SHA-512:5377FD3886FCDEF87B61F1CC825655E6B977E370563B2C2F7B3BB675B8ADCCE621A47F056945A9C0A41F9C10BF4DF6694167E62A310B146587F898D39E753EB2
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR... ... .....szz.....sRGB........%IDATX..VKh.A..I6O.H..$....../Q."....z..*.x. ..."X..`OR,.C..Y.h=."^....Q.U...ib.;..ufg..d7.P.......?.L...p....Lt...-.P/...^I..X4.X..........A./&..'%'.k.....,..\......l.j'Y1f...L.....~p.?n^..N+6xF..^}...3...`..(MN..Q.H.0*^`XCG.^[z......X..0r..\E.n(..@..b..#....._....\..=.,...#.7.....t.x......I.$..-..W1F..o..Q....x...P)......S!......v...zd......+...#...O.....Q.........!..2...$....p.X....g.5....e.o"..V..yQ..I.a<9?..|.t...Z..O..Bv............Z.........r...W#...-.`.(.0.Alkp...7a-..../....Mt`.g.......4.].5.z.X.Z...gz....R.S......-.1.w`a.......<........"..E.4|.X..T...no.M0./..F..k.P.uW.].f$9.pY&......Un..N.3|.......`.....2..e....C......r...g.Oj...t..`..s...PE.].v.,..S.J...P@u..q........[G..0..0...9..Z2].u...|......Ru.......}...6...W&z.4.S..0\..K....n.@a.Z....(..9.........3._.....IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Assets\NewMeeting_Small_96.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):483
                                                                                            Entropy (8bit):7.310129121242215
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:6v/78zmIphkxF+oabzkBMDRbuyP+3uvNg9e8lJD+SF330YN:46m0hRl+3q+nD+SiK
                                                                                            MD5:A2761DE768472D09D1E02C92EBD144B5
                                                                                            SHA1:60BA18F0FF47B9E9C3E23B5AE9E95E3D319B5C5D
                                                                                            SHA-256:AC7FE3232888BF96C520D586C723149CD3127E1CE7CC65BC35BA1984CC27BBCA
                                                                                            SHA-512:F330DB55B79E561D2DAC1CD051421F91D6981A489A004EB0EAE3AE090B1386DDF46EFB675A9B6F75A0BB83F741B5DA12E4DFB872EE41782773BFAEC9014CA667
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR................a....sRGB.........IDAT8.c`..0..?i.......e....?#.Nq>..<...Y..`.W...00.......?..........;.jX.=6,4....N.|~....._...K1.....A...l....>.{..m....2........;?...<.......\a./.tA.H.?... .l..f.......s....p...V.KB.x.D.)2D.)....l.}........`.....u.!...7,7....H.O.^.B....?..`.D..2...C..e$..:...7...B.`d`..R..D`0?.....~G1.?....KFF...L.. I.(.+6..z...).....d......5.h..q.+.2..,( ,W%-c.....Y\R."........Y..... ...7.@..?..-....JkZj.w.....e.........IEND.B`.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Applications.Telemetry.Windows.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1626208
                                                                                            Entropy (8bit):6.836593084030771
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:FiooDWLdfZohLu+Qzv53gyYq/t1CjQaLOGwkR2HwMuTwbXjBWQ1KLgKRw4jZh:Fioo+dfqL81//Ijt
                                                                                            MD5:56782B45762DEE25B58E68D574A91468
                                                                                            SHA1:B36B5BDF938132CDE279F555C3F0FFC58B17C540
                                                                                            SHA-256:19071E7F9D27FE8E766456FA5224A12588DECDED12AE305A082A5BD48E3D1CB6
                                                                                            SHA-512:1161162EF540F5D327367BCE65B39B1154916FF8D36464FF571F9D7D70F9572E48FDFC79B467917792629AE0B4F5B787798858B09370D36BB837D9A1D5D4B9C3
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......&..?b..lb..lb..l|.Xl`..l0..mi..l0..ml..l0..mf..l0..mE..lk.Hla..lk.XlG..lb..l...l...m ..l...mh..l...ml..l...mc..l..4lc..lb.\lc..l...mc..lRichb..l................PE..L...76=\...........!.....l...........n...............................................T....@..............................O..@...........................`N..........@...8...................`:.......P..@...................T...`...tR..H............text....k.......l.................. ..`.rdata..Z............p..............@..@.data....t...P...Z...:..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.IdentityModel.JsonWebTokens.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):78408
                                                                                            Entropy (8bit):6.129481246167649
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:nm6516C0z6v8JyJNPk2DuttJ6gDEkeLGzewZGLzw00f:nmqEC0zhyJNPktDXiGyRv0f
                                                                                            MD5:EEA13258A8B7DE541A74D2912769F2A7
                                                                                            SHA1:542082376A88F30ACAE47D71737A043A05334B1A
                                                                                            SHA-256:E4FA6AC046B919137158954B182A647129990B70399C9894CE6918F0FA893262
                                                                                            SHA-512:A8E7A6F7476867199D2E499ED09F11742593B398FAC4B4F3CA9C2D3496AB2A1B80A5E439F4444342D0A30BB3C74FB1A616E508DD05BBAAF6E54681F5F56BF8A9
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....{............" ..0.................. ........... .......................@......D.....`.................................Q...O.......................HN... ......T...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H........[...............................................................0..v........s....}.....s....}.....(.....(....,.r...ps....z...@...%.....o.......i.....i.3....(,...*r#..p......%...(....s....(....z...0...........s....}.....s....}.....(.....(....,.rd..p(....z.(....,.rr..p(....z...(....(.....!.r...p......%...(.....s....(....z...(....(.....!.r...p......%...(.....s....(....z*.......C..Q.!......s....!....j.(....r...po...+%-.&~....*j.(....r...po...+%-.&~....*...0..F........(..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.IdentityModel.Logging.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):41032
                                                                                            Entropy (8bit):6.710594759580758
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:vS0Nb06pBrs9OoJu8Gw1OQaXV9zPgEllVXC4dC9zVj6N:vnb0NO217GnzPZ/C4dezF6N
                                                                                            MD5:E6F3F341BAEB31F4196C3085FB34F767
                                                                                            SHA1:D78EBC71D36B06E0DA7FA41E6D7888FCC71042B6
                                                                                            SHA-256:4BE875B73CD50A95A1480FD3330222C278903DCFA9EE73263198D860827EA9AF
                                                                                            SHA-512:A38A81B096D215E04947BDD2E7D1532E676C8E84DD9CD598D98EE5EBF5C1197CF1AC690F28DA0EAB3DC1CA42CE0CD9F1EAA0901E7CD55C1ECA927D86E880C365
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[c............" ..0..H...........g... ........... ....................................`..................................g..O....... ............R..HN...........f..T............................................ ............... ..H............text....G... ...H.................. ..`.rsrc... ............J..............@..@.reloc...............P..............@..B.................g......H........,..x9...................f.......................................0..I.............r...p...........r...p.....r...p.....r...p.....r7..p.....s.........*:.(......(....*.~....*.~....*.......*.~....*.~....*.......*~.(....,...(...+(.........(....*..(....,..,....(8...(....*..(....*..(....,..(.....2...(...+(.........(....*..(....,!.(.....2..,....(8...(....*..(....*..(....,..(.....2...(...+(.........(....*..(....,!.(.....2..,....(8...(....*..(....*..(....,..(.....2...(...+(....

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.IdentityModel.Tokens.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):937544
                                                                                            Entropy (8bit):5.838809981110096
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:uMt+vIZDreuKQvgXyexT4Yn2sxGwmBgjoIb:jVbgXyeV46xGjBgj1
                                                                                            MD5:528D783F83C540EFC5F138D21E8C1696
                                                                                            SHA1:64F87F45719CA06143AA6328A52E6A96285DA63A
                                                                                            SHA-256:CE06CDE2B771E6E215CA9A10F8739A23AB2990A53C32301E42838D40E8E355F3
                                                                                            SHA-512:ED2562BE767103C2FD7179B0F632A2250F8EF97950341C6D0FE6AC8BA347499682CF7201289169855F313D47833F863FCC110B54864A8BBABF046FFD8B5902CF
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....o..........." ..0.................. ... ....... .......................`............`.....................................O.... ..................HN...@..........T............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........0..X...................T........................................(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{.....3...{.......(....,...{....*..{........-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..o....aX...X...o....2.....cY.....cY....cY..{......{...._..+%.{.....3..{.....o....,..{....*.{......-....(....*.0..H.........{...._....{......s

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Teams.AddinLoader.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):252512
                                                                                            Entropy (8bit):6.362389658905794
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:yDooTOC7Qc83rAUPtqy/KOak1VLsJYI52ZTG1h7iriwV3nm:yDoor5+lqyCa5sJ/7imAW
                                                                                            MD5:7FEB8740803639B2D4F945032AD5AB35
                                                                                            SHA1:1A96043B957A544D2A683A9F34273B3D4D410176
                                                                                            SHA-256:7AF7AB8BAE45CC39108640B02BF864A0923EA9249C11D11DFDB375ACCE6A5787
                                                                                            SHA-512:0469C31C0BD093C46FE6268B1EB6FFE512F198C1EAD0B4D463072F2C0F5AFE7A09A4C80F8FBA89714B2B54DB3C111AEF066FBE0D862EF2C2EAA86E8D4E5DFDA2
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........iL..."..."..."..p....".}&...".}!...".}#...".}'...".p&...".p#..."..Z...."...#.w."..}&..."..}'..."..}"..."..}...."......."..} ...".Rich..".........................PE..L.....Xf...........!.........r...............0......................................;.....@A........................@.......0...,.......pj..............`N......P(......T...............................@............0...............................text...:........................... ..`.rdata.......0......................@..@.data...............................@....rsrc...pj.......l..................@..@.reloc..P(.......*...b..............@..B................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Teams.AuthLib.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):40520
                                                                                            Entropy (8bit):6.639030202064737
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:oom7dmnAf1mkMF51ap+v/7pKK4gKK9zNEgElAVXC4dC9zVj6YM:aR+aps7pfNfzWZ8C4dezF6YM
                                                                                            MD5:B05D496887FE2A9E6EB1B054D7C67FD0
                                                                                            SHA1:D67E9867684EB6ADC456A8A12DA59A043ADD9F63
                                                                                            SHA-256:B66E0755E36F168AF5AB5EBF6FC493FFC6ACF322DF0446DBF03D9531F1ADFE81
                                                                                            SHA-512:2C5BD0172B2D9B7CD629B22B25E7C7A1FF19BFC7A831F622E7A388AA4D9F2FE3F2A6D2A48F5BFB81B727BEAD80B07A07F5C9EA1777747EBBC46E806398223D2F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..0..H...........f... ........... ............................../d....`.................................Df..O....................P..HN...........e............................................... ............... ..H............text....F... ...H.................. ..`.rsrc................J..............@..@.reloc...............N..............@..B................xf......H........-..t7............................................................{....*"..}....*..{....*"..}....*V.(......(......(....*~.(.....s....}.....~......}....*.0..+..........{....~....(....,....{....(.......(.....*.........##.......~....*..0..........~.....r...po....~......!...%.r...p.%...%.r-..p.%...%.rE..p.%...(....r...po.......{....~....(....9.....{..........(.......{....~....(....,r(....o....(....rc..p(....(....&.....(......~....(....,+....}.......(....&..@.(....&. .....

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Teams.Diagnostics.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):33384
                                                                                            Entropy (8bit):6.800503141051873
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:Vd5BNiiCEvdA5LfyacHbZTmwBWYsQWRCs1MR9zlN5W2pM/NEHRN7b2IR9zgRqt1O:VdrF05xwn0U9zl+2pIAKU9z/0
                                                                                            MD5:32743467628DB11AC5AC9C7BECF72430
                                                                                            SHA1:26FF39C01012934345C3FD4B156CEC0BD240941D
                                                                                            SHA-256:79906800C06A9B80BB204233EBB7EF05168218C687B47E7AC1DACE115A028CF1
                                                                                            SHA-512:09455FAEAF0E21D1E6C2A5413C259AF8AD44E674B9EAA766DB9CB4C71A659B3E77177C52292B67983900AABFCF8B5A31FBADD4FB711A72D8DFE5A1EDF24B5C2C
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..0..*...........I... ...`....... ....................................`.................................PI..O....`...............4..hN...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................I......H........(..P............................................................*..-.~......*..-.~......*...0...........-.r...ps....zr...p......%..o0......r=..p(.....%..o1....$....%..o..........%..o2....%..o4....%..o6....(......o8...,..(.....o8...o....(......*..(....*..(....../.rs..ps....z.(....,.ry..ps....z..}......}....*....0..Y........{....-7.{.....r...p.{.....$...(....s.......%.o......s ...}.......{....o!.....,..s......*F.{....%-.&*("...*r.(.....-.r...ps....z..}....*.0..0.......

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Teams.MeetingAddin.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1097800
                                                                                            Entropy (8bit):5.792143415990996
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:AH7EkgPiZ5Bsu0G179oVVmfLEq2awGQUZ:a7EbXs79oVVmfLEqNwG1Z
                                                                                            MD5:257D3AD395C9CF96B0B06DE7AF86959B
                                                                                            SHA1:B6C9A1E7EB119C7A8FF4FA0F9D3FB96DAA7E25FB
                                                                                            SHA-256:D6E3E4C181A50F751BF0ABB51E9F678B8A670144C7ADE4DB99103A2AFE9FFFE8
                                                                                            SHA-512:061473D98CF2397607CB83EB59F49F028D2441B1F18E11B64F096E3FD2FE85D8A400FCC9CF60CA7C596218BED46CEC417ABC16ADBAFC899DC678977AE58D5A4F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..0..h..........F.... ........... ..............................w.....`....................................O....................r..HN........................................................... ............... ..H............text...Lf... ...h.................. ..`.rsrc................j..............@..@.reloc...............p..............@..B................(.......H...........H............................................................0..%.......~.....r...po2...~3....~3....~3.....sM...}.....{....9.....{....oZ...,.~....r3..pr...po4.....}....+h..{....sd...}....~....r...pr...po4....(5......{....(...+...{....(...+.~....r...pr...po4.....o......o.....X.~......r...po7....D.~3...(8...,..(9...&.~3...(8...,..(9...&.~3...(8...,..(9...&.(:...&.*........."..........."....D......(;...*.(...+.....*.0..C........o......o......,..oa...(=...,....o....+.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Teams.MeetingAddin.dll.config

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):515
                                                                                            Entropy (8bit):5.076136391837345
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:TMHdGzNFF7ap+5v5OXrL/2/tFicYoKV7VirkTyxm:2duPF7NhOXrT2/H9kirkV
                                                                                            MD5:ED080ED5825CF4893CA4F7D1395B9957
                                                                                            SHA1:3905E190109E5DF90676F4716A69C815A6E52B44
                                                                                            SHA-256:29F368DEF465F1AE30DF31EBCA4A976F180DBCF3718605B4ACB0D6DA95A30855
                                                                                            SHA-512:73041863B7916B21A56D5C61933D9922D24B15548D7356DFEE42C3AB617F72A04AA8080F3C5EB3F21D968FFB38C7244D4484E78540BF6BB8FC93600A017E43D0
                                                                                            Malicious:false
                                                                                            Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral"/>.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0"/>.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8"/></startup></configuration>..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Web.WebView2.Core.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):295008
                                                                                            Entropy (8bit):5.771512173166689
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:6ylhq4ugopeh5eBeGNx8cNe+zcee9eoedTeeIzeqRK0e6eR9pRFIEIEEICepM1Sj:2P4eR9pRFIEIEEICepM1S2LQQs1hP19x
                                                                                            MD5:D3A3E82247F81342E217C92B9C89BC86
                                                                                            SHA1:CBD914785348331AE68528ED71E317ECADDC10DE
                                                                                            SHA-256:B39CA19017B8B99385A588433B4AA1CC87DDE272DA14771A9750F00605D31091
                                                                                            SHA-512:EE5968A216BD402632A0CA1073B8C4CA5303CF28F30002AAAF2E7590B565FA3BF951E7B62320E4E3592DE50B9F56F08ECADCF67B50659DF056BB5812388A962D
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].a.........." ..0..*...........H... ...`....... ...............................b....@..................................G..O....`...............2..`N...........F............................................... ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................G......H.......L9.......................F.......................................0..G.........((...}.......}.......}.......}.......}......|......(...+..|....(*...*..0../........{....- ..{....t....}.......r...p.s+...z.{....*................."..}....*....0../........{....- ..{....t....}.......rZ..p.s+...z.{....*................."..}....*....0../........{....- ..{....t....}.......r...p.s+...z.{....*................."..}....*....0../........{....- ..{....t....}.......r...p.s+...z.{....*.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Web.WebView2.WinForms.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):45152
                                                                                            Entropy (8bit):6.663371468091526
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:iTFfTl1XWYTACPHZDgcE05P4Jjrnh2jwSosuTv1JKa5/Zi/6LsubsOzMnXbD9zMz:iTFbHXLPHZDgcE05P4JjrnawSosu71Jh
                                                                                            MD5:F86AFF1B72BF70884B4BE0CA38919369
                                                                                            SHA1:8D3DDF77DE94F5EAE244AD09F9D2ADDCC2DEF709
                                                                                            SHA-256:69B2BBF16659F98D589942A1A3F344550DD1E03446DF4F81DC4668F1D51CFEC0
                                                                                            SHA-512:718F629F907EDFADFFCBCA135DB6153B2BE001E450940722B43C16279CF9ED0A6384D1205D3287F397B2E8FCD9A5615BB2497E8717B6CF6391EFADF1BB122480
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...03............" ..0..X...........v... ........... ...............................B....`..................................u..O....................b..`N...........t..8............................................ ............... ..H............text...$V... ...X.................. ..`.rsrc................Z..............@..@.reloc...............`..............@..B.................v......H........3..T=..........(q..@...ht........................................(....*..{....*>..}......}....*..{....*>..}......}....*..{....*>..}......}....*..{....-%..(.....(......(......s....(....}.....{....*..#.......?}.....(....}.....(.....(S......(..... . ...(....*..,..(....,.*.(....,...(.....{....,..{....o......( ...*.0..>.........( .....}............s!...("...........s!...(#....{....,..{...........s!...o$....{....:.....(#......H...s%...o&....(#......G...s'...o(....(#......J

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Microsoft.Web.WebView2.Wpf.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):50760
                                                                                            Entropy (8bit):6.631383698123452
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:0X0t7C3ZK8wDP/ryEH0mBO4JjrDXaUfUPLkIFKKa5/Bi/hGvoAwWKSVdxxzXZVP/:0X0t23ZK8wDP/b0mBO4JjrDXaUfUPLkR
                                                                                            MD5:04B900A20C71F7A23BEBA77F88B86308
                                                                                            SHA1:C5BCD7AE974EBF89F6D12F26DBAA9B4FD4CF2A53
                                                                                            SHA-256:BBA041B5BE0946EAEDE57AE31361844CA781C9FAE80607980465C7F2422F83BD
                                                                                            SHA-512:F40B2ABAD653F4433D8B7C665D37000780D7A1289F4B187F8B51CA7C8D577C7D7449A5E12C0DCB1FBBFC45403437D6F9F4AD09CA326239C4D1823908063CE19F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8............" ..0..p............... ........... ..............................8.....`.................................9...O....................x..HN..........d...8............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................m.......H........;...M..............@............................................(....*F.~....(....tP...*6.~.....(....*F.~....(....tP...*6.~.....(....*F.~....(....tP...*6.~.....(....*6.t.....}....*..{....-%..(.....(......(......s....(....}.....{....*..0..........r...p.P...(.........(............s....s....(.........r1..p.P...(.........(............s....s....(.........rO..p.P...(.........(............s....s....(.........**.(.......*..{....*"..}....*&(.......*..{....*"..}....*..0......

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\Newtonsoft.Json.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):714312
                                                                                            Entropy (8bit):5.981067761075983
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:H9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc30:H8m657w6ZBLmkitKqBCjC0PDgM5
                                                                                            MD5:D473F50D1D29B975DA5B6EE0BE8DAA16
                                                                                            SHA1:AAFC94D3C26041CCA3737FDF6240290DBAC1388C
                                                                                            SHA-256:E57E1BD98CF3EB35B61BC5603DA893DD8018BE8CD6CC582D263CD964CE1E47DD
                                                                                            SHA-512:1BB89EBE3EE9D61ECD194ED008C25733C5888FDBDE41A3D248161EE4A708526489A2F79D23EEE97CCAB0D58622ADDE158E07225B8A64AD1F6593CF848206FACC
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................Q....`.....................................O.......................HN.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\OneAuth.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):3764832
                                                                                            Entropy (8bit):6.859369138253314
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:HEERDAD3OE+TYoUjYnjglMZqCo8q4T3Ka/Z+fsh0EGR+hmahbt3pHGiOTYHf8P8c:HEERDAD3OFYoU8jgGq1V4TaHviOTY8
                                                                                            MD5:C0A14FE8511CF67D40BBC606EFF12A5E
                                                                                            SHA1:9E1A3183E9FDAE57B59C8A5B7A8D86360B175B42
                                                                                            SHA-256:E1B7188C8F3713C188C4B9F3318EB72614C498493342B169234FBDE7FD2DC0D9
                                                                                            SHA-512:4AC4BCF33E039F2404E088FE7E55634F032109EBF53A5EC851525DE75B4116D29CD75D29B186212DF305F6467A47F18D6C6190632FFC0D736C4FD7BA112F43D7
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......$...`..`..`..2...d..Q.G.b..2...k..2...m..i.).n..2...M......<..t...i..t...a..t...s..`..Q......d......a....E.a..`.-.a......a..Rich`..................PE..L.....Xf...........!......&...........#.......&...............................9.......:...@A.........................05.$...$15.|.....7..............$9.`N... 7.4R....1.p...................@.1..... .1.@.............&.T....#5......................text.....&.......&................. ..`.rdata..$.....&.......&.............@..@.data....H...p5..2...V5.............@....didat........6.......6.............@....msvcjmcm>....6..@....6.............@....rsrc.........7.......6.............@..@.reloc..4R... 7..T....6.............@..B................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\System.IdentityModel.Tokens.Jwt.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):94312
                                                                                            Entropy (8bit):5.905204811037498
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:erLOBZPOcQY5bOfk4GftC07uktN9XNEgfpXaXr0iMJgBGILkDzVZl0+88niFF2Gj:eeBZPOcQY5bOM4IuktN9XNEgfpXaXr0s
                                                                                            MD5:A70D021C422B844D5B3708A619466057
                                                                                            SHA1:5F63C78F20FA7E7ACA36C91F209D4215C854C90A
                                                                                            SHA-256:5692B8A4E74EC8484A87D68379FC69FC119E980F79D2765F7FCA5BF5FA302024
                                                                                            SHA-512:A8CDCC3043376A1D25B318739DB7545CCB0ED77C1E134CC03B5A009A655EA6861EE3E7246EBDFFA6D53B6BE31EBFFF93B34322488C1067712F0A280ED2B8ECB3
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....g............" ..0.............*7... ...@....... ...............................-....`..................................6..O....@..............."..hN...`.......5..T............................................ ............... ..H............text...0.... ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................7......H.......4_..0...................d5.......................................0..........s....%r...pr...po....%r...pr...po....%r ..pr,..po....%r...pr...po....%rG..prU..po....%r...pr...po....%re..prs..po....%r...prs..po....%r...pr...po....%r...pr...po....%r ..pr(..po....%r...pr...po....%r...pr...po....%r...pr...po....%r...pr...po....%rr..pr...po....%r...pr...po....%rN..prd..po....%r...pr...po....%r...pr...po....%r...pr...po....%r~..pr...po....%r...pr1..po....%r...pr...po....%rm..pr

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\System.Net.Http.Formatting.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):189544
                                                                                            Entropy (8bit):6.2575053993527705
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:MXWun8Jw8fCk/Dvf5eso7DpGbG8pwp2xuRLYs8jn4xo:MXWu8Jw4L/D3UVVGbGbd2
                                                                                            MD5:8FBA542C86765B116FD3B6A397196984
                                                                                            SHA1:47D65C9D0C0D07C4E76F3516C90E7FD1CEAC1B0B
                                                                                            SHA-256:7E0C5104F49C2B79E0261BAB191CF7ED25BBE9C01BCB7DCEDAE5C6AA1F8BA94B
                                                                                            SHA-512:89C05EFE882C226EB55A0D234BE49E2D4D639DB08FB0BF85129E672CE3773EFFA82E7F95EDB1F7DE1F3B8B57B38203AA69E8B84CB51885A9CE9918332DC06D22
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...c..[.........." ..0.................. ........... ...............................L....`.................................D...O.......................hN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................x.......H.......D...@............v...3..........................................R....s*... ....(....*F....s*.....(....*>.... ....(....*..0..d........(+....-.r...p(c...z.o,...-(r...p(...... ...%......(-...o.....(^...z.-.r...p(c...z.-.r...p(c...z.../.r1..p.............(g...z.o/...rG..p.o0...-'r...p(...... ...%..o/....%.rG..p.(^...z..o1...o2....>....rS..ps3......}.....o1...o4....+E.o5......s........s6.......o7....o8.....o7....o....o9......o:.....&...o$...-....,..o#.....(...+:.....o<...s

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\adal2-meetingaddin.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1443936
                                                                                            Entropy (8bit):6.527875057204511
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:lTLWvdxPRBVcPrV/guppMXb1xaKbtQnVfAEwCnCnT+XgFz4a0of+IJR2:RWvdxPRex/hpskKenVfA8nOT+wFzL0oo
                                                                                            MD5:7B6F85665FC19F835F60DCFD446EEC8A
                                                                                            SHA1:14FF072047A82CD3259D5895F9EEEFBD7F243F35
                                                                                            SHA-256:A7BDE8B9A4073473A28DB5ABE3C12ADDEC08CCDA516F2DC79A79F3BFFFEC5208
                                                                                            SHA-512:2BBD7FE67DD132C8029504F0BC5E50396A0BC26BEB3D705E11F04A12FC13334485345170B72567C9A865227B55E53FD21712CB34231C6A72ED5A96D992017A44
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.......K.t&...u...u...u`..t...u`..t...u]..t...u]..t...u]..t...u`..t...u`..t...u`..t...u...uj..uf..t...uf..t...uf..t...uf..u...u...u...uf..t...uRich...u........................PE..L....p.[...........!.................X....... ............................................@A........................Pb..T....k..,....0..8...............`N..............T...........................0G..@............ .. ...Ha..`....................text............................... ..`.rdata...h... ...j..................@..@.data............n...r..............@....didat....... ......................@....rsrc...8....0......................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ar-SA\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):63048
                                                                                            Entropy (8bit):6.588536490520649
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:0O9gSK8rih93rkkMy6HMyFPcIk9WvLdQWuB5X2PHJMK1SNahIg8DTuf3TV1EikMb:h9gSK8rih93rkkMy6HMyFPcIk9WvLdQw
                                                                                            MD5:CD9C599823A276D142D9ACB18A8B801B
                                                                                            SHA1:40B12D68A23FF1F31806D56D8A75E3C55A898C59
                                                                                            SHA-256:6412C7FCB2836C0E059FFBA36FDF50882B61A5EC9FF23F780019A52E5C05779E
                                                                                            SHA-512:10CDA635B5F975FACDA13D4480988A465775E6CE00DF0E4D34494D6943347A711B8922AFFD7D96F344A8CBB6FB3EA3A9B4E9E88F83F22C08C42008EB52DA4E5C
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ...............................b....@.....................................S.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......................P ..o...........................................k..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\bg-BG\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):66120
                                                                                            Entropy (8bit):6.543326876591306
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:bO9nxMvE5lU94Zs+uNQGChcfaEt5tHBB8spapY1KCcLJIaSgN8AzlyGEikgUWsQ+:i9nxMs5lU94Zs+uNQGChcfaEt5tHBB8y
                                                                                            MD5:D47B102DB26B2C40ADA0B88864D4BF16
                                                                                            SHA1:5962E4ED89789D36A22130F10F5836EF9FD24358
                                                                                            SHA-256:F0015E72C92B5B83FD23A62F8B0ADF25C53DA2005EB90BDD6ABE83BE4D91158B
                                                                                            SHA-512:72E2F68460CF16EE211A81F50E63A12A61C5838D33D84D5A00C2F9DC44E6AD645A0DB01C22BC739436DD721A5BFE70D2B4E3227517CBFBB04B0C18E6669F444F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................... ............@.....................................O.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..............................................}..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ca-ES\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.459202313419593
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:6O9PKsQZAjb+f5g3GTGw9dLFqH78Iu3vwUT/aDXeX3iqeVQkiO7imJOEikSwsyCT:D9PKsQZAjb+f5g3GTGw9dLFqH78Iu3v7
                                                                                            MD5:158930A69BD74A6476AA3817D1C2BEB1
                                                                                            SHA1:2B9F0777B03832E92C50FCC58BD793C43CE60865
                                                                                            SHA-256:E540D3BBDDAF741A9DDC6F0AB16E4C77115CE1F4B2D4C2037A00285012E0C003
                                                                                            SHA-512:9ED62D6B361248E4AEE394F57488685F4E027D17F91F22C903668E713632CAB33A960B5B4E2F9717194ED1DF7B08816A662E344E04B12B6C81A1C44F61E776D4
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...............................v....@.................................`...K.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..6...........................................2..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\cs-CZ\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60784
                                                                                            Entropy (8bit):6.521074063197344
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:qO9CKHHlgdQ4L2QSW6YEcNHuSlMGtrVSL4rOeqDuseAT8HNQ30pEikrKsBCz9Z4q:z9CKHHlgdQ4L2QSW6YEcNHuSlMGtrVSs
                                                                                            MD5:6169CF3B98276F3CF9974DC2D1CED2D0
                                                                                            SHA1:2D9DCA45E40BF720D1ADB1D2A9F7F20E4F2EA931
                                                                                            SHA-256:45287112403521B91DE985160177515004F2618D0DDD1EA0B3B9EBBC10BA5D62
                                                                                            SHA-512:3CADAA8A166FF5527B8266BC88956319A88230C02E1F279A0805CD3EE39B0542C262EAF7E558AEB6750AF291AD4E3A4264D7F70B6AB4ED60E4D30EF4D739099A
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ...................................@.....................................W.......................pM........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......................P ..k...........................................g..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\cy-GB\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.486964327280261
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ZO9ADi+BGe+Yj+fEligSKm9qI32i3loAECsedjllekCRf4FwpL6pTgscpEik1HsF:k9ADi+BGe+Yj+fEligSKm9qI32i3loAI
                                                                                            MD5:085E2A3801FD052FA78EB35784861A67
                                                                                            SHA1:A08D98B2B03AD9EFC473CF9ED529039983D93D9A
                                                                                            SHA-256:77D095EC973D379CB55A8B88EB3DB34F5FC02BBABE36DA6A25EBA3F2C382EF51
                                                                                            SHA-512:E2AF53D5A6C61C52C0981C83BCCDA87939D64DECE4BF0D48CC1573C4E2D4D3773CA49A3174381BE1AA50D22CA4258229DD0C18C556519AD4A9A6FE457A2D0DD5
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................zR....@....................................O.......................HN........................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\da-DK\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59976
                                                                                            Entropy (8bit):6.487146751316606
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:NO9Nhjxn9FWv4GByP5KpHSnLbM9B5vBmGOv0/kOeR/1OgBly2bCR4EikxRsxEp4i:Y9NhjV9FWv4GByP5KpHSnLbM9B5vBmGL
                                                                                            MD5:97D41B502E4BEAE98B24AA3A4CAE529A
                                                                                            SHA1:0926DBF0CEB2A3ADE1085FA4557038F574390C5E
                                                                                            SHA-256:E33BE073C742689A49FD50F7AF08D1F013DD79C6AD918CE976447BAF84B7AF67
                                                                                            SHA-512:C0A98F9472FA74E6FBBB5AC731F0D1F817B8B272B8E486F67FA23CABD7643D1C72B4901452FE257A7D9D6EDB2F3EB6A91D3AE2050B2CBF9B56FFCDEE0B92A1DA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................>.... ........... ..............................:.....@....................................K.......................HN........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......................P ...........................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\de-DE\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62056
                                                                                            Entropy (8bit):6.434087583320252
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:wO9P3k0b/0/IDJaXmsl/+ToOLWiXp3n4bydq5inL+yPocyx+q92nYHYHzB2iHG3e:d9P3k0b/0/IDJaXmsl/+ToOLWiXp3n4k
                                                                                            MD5:F990C8CCBBA3F311BCB66CC36BD28090
                                                                                            SHA1:D7EFAF9B2022B7EE0C794CB24AD2A8208C570630
                                                                                            SHA-256:305A7A96FCE15405505331D6EF78DB5F88C4FBC32D5E9FE89EEB235DCA3335D9
                                                                                            SHA-512:EE222DCB4DDFB650F18A3A7283AE8DE59FDC3A1E1A4DD58D80EC05C9934AEBD8DC9BAF9C1E77E3B1B5D66334CC7D823B6FBEBA57C6E17447AF8852DF454DC84F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................................@.....................................K.......................hN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\el-GR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):67168
                                                                                            Entropy (8bit):6.566460710824405
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ZO9OCfiY82Whhf/Oaxtz9dgqn1LsIOYCZx/QxJHDv+sBkzKJMPYBj8UHN7oEikcL:k9OCff82Whhf/Oaxtz9dgqn1LsIOYCZZ
                                                                                            MD5:C38DB5F652DE91B18DCCBDFFDCCEC503
                                                                                            SHA1:75BD4F252284E87BD4613913FC9B2D408AF355AC
                                                                                            SHA-256:587A707E0596DD62135410B2922DF2BF4E28A44793366ECB9F80579C8761DBE3
                                                                                            SHA-512:9C7D6775838672A45E98AC7C21679E3607EFEDD7EFB8673965279067AFBB65E88D39961D1309FD586B151049AB2C262361A3DD7E02FA45C7D73B5AE0207A11DD
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................... ............@.....................................O.......................`N........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\en-GB\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60000
                                                                                            Entropy (8bit):6.444190816855698
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:sO9jlXq39V7UTJazmvWyBmehkkSgwgt7pK1Iq6lDRyFxutpLdcIkey5JvEikr+si:Z9jlXq39V7UTJazmvWyBmehkkSgwgt7q
                                                                                            MD5:0826E8C277C0DFE42735A448DB7940C7
                                                                                            SHA1:8A7E1320F58A86745175B1D0301E822BFA04FB20
                                                                                            SHA-256:1AA40D2BBA8F882BC44DF66B9BEA547A61012449DBFA404F3D32762BD728C865
                                                                                            SHA-512:00728861F65405438F7C823A6CCBCA5B841D53F499B9B0B0856A9923B102E9EF36BBE1035AED809EDE3F2A40764F39811259C52A5A0287B9896C303F7805A11E
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................>.... ........... ....................................@....................................O.......................`N........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......................P ............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\es-ES\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.471588224248052
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:vO9PcsKNcG6/SfNsIpERGRBPvJV50ATCaHC1B4/QYfsueQ5amCVBjEikgBs6d3zs:29PcsKNn6/SfNsIpERGRBPvJV50ATCa7
                                                                                            MD5:601CA689F9075A86860FE17F6663A3E8
                                                                                            SHA1:6DF7EE000E7CC0B7E81EAD584BF60F34783B7D50
                                                                                            SHA-256:2D397D019C11FECE226947B075873BB1980FBC456BBFF743D92ABD9CD13AAC2D
                                                                                            SHA-512:8231DC4D221D57A77159206D98AC874F920DB684862F22D43BE1DA0153B8CAF75B89C28BDA423FE9D1C3DF37EDA662426846963FBC7420D1AAAD162D59036ED9
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ...............................v....@.................................|...O.......................`N........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..S...........................................O..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\es-MX\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.46459183752468
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:SO9PcsAbAUxcRLSpEebIfb5lG2vuq9o7UtIbQrZuGl2v/+/UAsOkjEikRVsgz4Zj:79PcsAbAUxcRLSpEebIfb5lG2vuq9sUE
                                                                                            MD5:E74A7CD5447B6A0E49D077774C98E529
                                                                                            SHA1:9A57894B831E59EC3BAE33673D3D384C6CEF2191
                                                                                            SHA-256:E60CB451F0EEA3519C88D69EE4D4214FFBAFA07C6CE75DA722FCEB5090D3FD44
                                                                                            SHA-512:131CB8A58C7B0C814A7AA1472E3CDBD3199BC5B6AABE5FD39AD8D78E00B395D9681089753F89E3194D709F55EE8FB6D13C9EFC3AC246A1CD1F7C8205D189989A
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................3.....@.................................8...S.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................p.......H.......`...............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\et-EE\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59976
                                                                                            Entropy (8bit):6.484108194961219
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:oO9pDyWBFils6mKaFq1ZU7iPZn3VfrsYaInkpxOM8zrBwl0xvWbiLvkLEikkls02:19pDyWBFils6mKaFq1ZU7iPZn3VfrsYL
                                                                                            MD5:D111BF070B29A4DB93EDBAB50B0A750A
                                                                                            SHA1:94B22AF2C90254600869ACEBEF6BBC6172598834
                                                                                            SHA-256:21E5E83D0ED84060CE883E628FF61E05B141179CF861B9CBE83C222816AAB6CE
                                                                                            SHA-512:6319377FF841D97379FBA879B3F274A0270C010EE0A70CC624A9862D7F1B46E08ADD69A7DB00B6B62AE7FE670B459F5E956D67C33B67737937088F42F81AFE59
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ..............................*.....@.....................................W.......................HN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..Z...........................................V..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\fi-FI\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60512
                                                                                            Entropy (8bit):6.482124743495525
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:mO9WHroG73/MBcBgbQtAIceIZJA4qErCGAqNDEvu/XcgKErjRfxLzqkPzEikp0sH:/9WHroG73/MBcBgbQtAIceIZJA4qErC5
                                                                                            MD5:4191204671CF8F3D51B7C97034F7E8E1
                                                                                            SHA1:B2CCD154E9679C5EDE4B61784F711F29E255DE65
                                                                                            SHA-256:DE145030538AA124503DFAE7BAD0717A4515EA89E3E6F0F6BAECA72ABDCFA3EB
                                                                                            SHA-512:046F578B6E95C8B5BD38D4D426E65AABDA7412011ED667E18E5B5EDC54BB1355CA5673600800F288C56216B54FD01865D1DC6CF64FF75FCFA4FE05882069BC93
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ..............................h.....@.....................................K.......................`N........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..V...........................................R..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\fr-CA\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.470070999956776
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:NO9ADK9GGZoFZbcS0PFl8SJiJS4+X2uMd0dSBb/yNvd1SiUU/GpgYCv1Ny7qwEik:Y9ADK9GGZoFZbcS0PFl8SJiJS4+X2uM2
                                                                                            MD5:604F05D82D7A9DEBE56EEC6330A8D56B
                                                                                            SHA1:F606FD15D1BFE811996DE48C2B3CBB8C8819F58D
                                                                                            SHA-256:5FB9012845120321AF415301EE387961F75C70BA87BC779725B7A66551219853
                                                                                            SHA-512:3568A1982E827E507615863962D795AAD55CC049A1E98EC9734314B26E43F1BC82C2C8CB6D54BECE4D54427EB9D664881093D095359333C8B91AF6E37577194B
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...................................@.....................................S.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\fr-FR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.474432837189674
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:WO9ADl++Qh8hF3dLNbJZIeiVFbdQ9cBxIjfwjRGaDZng/7HXwpJjAvvhYpvvFi/p:v9ADl++Qh8hF3dLNbJZIeiVFbdQ9cBxS
                                                                                            MD5:3D8EC5640C9A814D8D26483D135E698B
                                                                                            SHA1:15FFB7ECFA9260FF2F0439727D67897240653BF1
                                                                                            SHA-256:20040EB12C4BDE67FDABA345DD18F5D5A55EB1D4BD0E634CC589B7E2C66E6A52
                                                                                            SHA-512:3E39AA837EF2FF7F698CEBF88BB775CB2245902FD8E4702970EE8535CD54D953FBEA5178C99DB0B938C62ED5850E9495F93590689A2A5EEFBCB933D8739545A6
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................I.....@....................................W.......................HN........................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\he-IL\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62560
                                                                                            Entropy (8bit):6.538819459136321
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ZO9CElFACr31NvYOv0ffLE2WGNFzw9mgCOppcdIUX/a9BcPF4O9M6XXfEik2uIsV:k9CElFACr31NvYOv0ffLE2WGNFzw9mgV
                                                                                            MD5:09BB3D444935C528B480C492832BA992
                                                                                            SHA1:17E54297103F0E944C93F4162BE18AEDB8EA0779
                                                                                            SHA-256:85D0797D32892617197026ED00BFE1BB2FE9A07CD64390410133D5C7F430EA15
                                                                                            SHA-512:FA0C1593080AB8AE0723108742824B3574A713F12C25C310A3AAAA4C862D821B86B90F80AE94B1CCCBA3FB5976AA4DA7D43837B634AC3377E1CF80B4F75B2C96
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ....................................@.....................................O.......................`N........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P ..q...........................................m..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\hr-HR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.469806225746028
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ZO9dO2GxyJQPMKJUlRKXQu+aOdD68/8aEv8Fez74mwBxG211H/KqI+1EikdIsuzs:k9dO2GxyJQPMKJUlRKXQu+aOdD68/8aG
                                                                                            MD5:80AFE9776BA5F8489BB61F385635B1CF
                                                                                            SHA1:D518F36C5A4F00C5CA645F9BD21A79E0412E5974
                                                                                            SHA-256:A63DE2AA929E57E502FCF8EE18F1875084E533AA8CDE337D69EFF020012057CE
                                                                                            SHA-512:21EAC6874ABF12C7C182B35CB3C01178FC39F0C2E94BFAE4801A52F863C8A6D86E627F671A541B045A2C52154639A9D85014E142E18C776475020EB350D7558C
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ....................................@.....................................S.......................HN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..^...........................................Z..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\hu-HU\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.516164435968868
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:JO9PebzfDSD12NfIBLCOP8mTtzDd0Wx4Ky6Vlm3KlbcGUYTo1f8Q8ZOQXOQ8M0Q0:U9PebzfDSD12NfIBLCOP8mTtzDd0Wx4N
                                                                                            MD5:01A998681DAA1BFDFA695C533B8C2BB6
                                                                                            SHA1:62D53791A965CEAAADEB8630E608A0D78667B2EC
                                                                                            SHA-256:07FE7C4BFFC7713A0AB9DA12118512E9EE509EE14E603559B27E5DE346A53924
                                                                                            SHA-512:B9AA272B473CED31DB1113B404263D054D5391D10C04453C2F48F6EA3BB36A81C1D8B5B1C67C43D13FFCA417AFD1825D0552E26DED0BB498E7A8FB76E674B51F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................~.... ........... ..............................?K....@.................................(...S.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H.......P...............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\id-ID\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60000
                                                                                            Entropy (8bit):6.46059690688784
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:sO9NagPURiGTqSzcnYzsdxAeetb2YHEKTtWA16o3vPjBjtLP7bscEikksms/pzdR:Z9NagPURiGTqSzcnYzsdxAeetb2YHEKm
                                                                                            MD5:23273432D5E925CA8B9CCE0EB6C0786A
                                                                                            SHA1:5FDB8A49D4E4ACBD4D549F10F5F2D276795B560C
                                                                                            SHA-256:96214337ABEC104DB82EE954B39D3D60F8B2182D51F0DE6135A628BCE6BF6794
                                                                                            SHA-512:E3F204D03B5AF109209EAF53F1FBB2057E50D2BC09A6790AF9459FD6104BD981BA79886D46E70D92BCACA1165C1776385391F9E0017E7F17025263E9A0D6C4A3
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................^.... ........... ..............................g.....@.....................................W.......................`N........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H.......,...............P ...........................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\is-IS\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60512
                                                                                            Entropy (8bit):6.501112106514937
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:bO9WAqYD97mcB1jaIJB8E3rTYSXxVG12uonduxkeU+BJRUJsQVr1i4EikrsYs5Lo:i9WAqa97mcB1jaIJBP3rTYSXxVG12uoI
                                                                                            MD5:DF52D1A710E3DB3ACA1A79D7A9829F59
                                                                                            SHA1:C10201F665058FA42A8BEBBCCF116125E8D1A1EA
                                                                                            SHA-256:15BDA2260386923606A705541673483A76A545250D54EEE3BADE9F7949254906
                                                                                            SHA-512:275F3DDD0A63C54BECBB14A7399ECDC7841929B43E6E192401590853EBDB8EFB78F495EFA27516CAC3BBDF0231F02BCA5F44EDDB6635F6FB9A079FC32E30FB8F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...............................P....@.................................D...W.......................`N........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......l...............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\it-IT\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.438594682971094
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:QO9P3y5h0Fp0NK/gRcFvoZ4FKKC2msifHLrEvI2UzpCwqPZHas2dyHTWEikrPKsq:99P3y5h0Fp0NK/gRcFvoZ4sKC2msifH9
                                                                                            MD5:EFF68E098E6B5AC2EC5DB86D59F2F34A
                                                                                            SHA1:0F63B1FEED689CF723AA5D1F7D89FDCC68025D47
                                                                                            SHA-256:74BC14FB2097D47F0EEC22DFB9429A86C511B3AE55EEA6D771F7E9C9697ED26A
                                                                                            SHA-512:0F09D415684665994C1DCC9AA74C59D5F2D8ED183A6E703D53BDEF08CAF830129D5949C7B7EC2E000FFDB7DB8AB8CF624F896875372C6559BC7FE4E9EB35FCAA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...............................G....@.................................T...W.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......|...............P ..+...........................................'..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ja-JP\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62536
                                                                                            Entropy (8bit):6.6524750201589455
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:UO9WeuzR+bLcQmuGuRuBG6v7yM5uGJ0HIc2N37cRAoXDuII5ZCUaxvEikkTszIzQ:B9Weud+bLcQmuGuRuBG6v7yM5uGJ0HIv
                                                                                            MD5:4D740F1B35367259CCF7C3452FA9409C
                                                                                            SHA1:8BF81202ED93FCDDAA91386EBC7FD621B4177BFF
                                                                                            SHA-256:66F6D9189B9E96F50105B34EE7C83B13929E1FFBB225F0A59B11F05E692526CB
                                                                                            SHA-512:3B78B3C4A4367B2F75DC53EBFE9304B6DCBEC7EB50C06F7810EF2779B19F724A2B2BC10E56842E34277663010ADCB485EA955071A273ED11D187CA047B8790CA
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................>.... ........... ..............................{9....@....................................K.......................HN........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......................P ............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ko-KR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.646946212587404
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:wO9WAqhvGiu7WCbAfU8Uvg2LKhiM3fYzsKNLz89SghOD/4Ke5XLjEikwF2sfazmN:d9WAqhvGiu7WCbAfU8Uvg2LKhiM3fYzq
                                                                                            MD5:26A4813F1569907D6E86B960B988746D
                                                                                            SHA1:439E5CDC1F971D0D286E2C44801E4DDAB63A7C8C
                                                                                            SHA-256:C66D0B47609CA2584649FB9EAE85BFEBDE348ABC6FCFF10BA9039735A1AFDCCF
                                                                                            SHA-512:DBAE968A9A40850585867431169DB1620D9D224D7FF6A7E37F2AC50DF5C7BEAAD339355993EF4B4DAAC469118998ADDAFD485ECE5A66439738352932DA37B15B
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................^.... ........... ..............................p.....@.....................................S.......................HN........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H.......0...............P ............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\lt-LT\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.506165117406071
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:sO9B5vAqvshLrR3gUZO2A9oclmD1tdDnpRmtQH2QKDTLXosU2ex+nuY8ZEikgVQk:Z9B5vfvshLrR3gUZO2A9oclmD1tdDnpj
                                                                                            MD5:3566373A90F09BA59EF4F7B1BA2A6FFD
                                                                                            SHA1:FCBF1AC10A7191D471A2341845110E5572A204EC
                                                                                            SHA-256:3365E80B1F4047773B510A5D0B6C0148DCB8D83F503F8F62833CE7BF8CBE9237
                                                                                            SHA-512:0717C7855B2F66399FE367D58E971834122B8DFD5FFE6AA1D4FAB8F36C185A530D7B078BD420C6E54D93381521E15518FBB52C93BA5C38F0F29B94428EFC16B0
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................]*....@....................................K.......................HN........................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\lv-LV\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.483761901779719
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:UO9jvyffWGiHpdYq84Ae89YJTrjz46UNhNnkGzColMa9TJERMCR+EikMnsCazydQ:B9jvyffWGiHpdYq84Ae89YJTrjz46UN8
                                                                                            MD5:A71CFA89BB1AC26AE34B8D4815D6B8A6
                                                                                            SHA1:B723CD73F03F7ED4D9366626525A69B868153016
                                                                                            SHA-256:0D19FD402870D85278C10A70474A57DD1A4813656F13AFEDA006E04F4FFA6427
                                                                                            SHA-512:EBD14080E66AD75CA1D4DCA6A792010C964950F6011B1B43DE9A50787AFA5898026A41DBE314409BB83D4F6F6F535AF7DA8181FA46B83861B14FE1186622E562
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................................@.....................................O.......................`N........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\msvcp140.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):447560
                                                                                            Entropy (8bit):6.69362725487304
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:J08z9gRInEQpdGpPkKDyhAm5IiWDfg2n5hUgiW6QR7t5s03Ooc8dHkC2esv:J0CdEQpdG2KDy2m5IjDYA203Ooc8dHkN
                                                                                            MD5:77FA8A6193B1830D2235F48987AEA5B5
                                                                                            SHA1:0B2044D6738773FA174653BB818F4A1FE76FAC89
                                                                                            SHA-256:C2B2103289B656617D85EF90C04A2B8F9CD7CAB1778E69563F884C89D892AB5E
                                                                                            SHA-512:29333B6AB895440E5157F1895E180CAA4181D5DCB387CB626D4FA45CB3818AEA9658DE0C16FB72678425B7694DA39817ED6EF6B45425F57035A00B9070E97B69
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ 2 .A\s.A\s.A\sr1]r.A\s.9.s.A\s.A]s^A\sO5]r.A\sO5Xr.A\sO5_r.A\sO5Yr.A\sO5\r.A\sO5.s.A\sO5^r.A\sRich.A\s........................PE..L...t%.`.........."!.........~...............0............................................@A........................`U......<c..........................HN.......6...W..8............................W..@............`..8............................text............................... ..`.data...L(...0......................@....idata.......`.......2..............@..@.rsrc................J..............@..@.reloc...6.......8...N..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\nb-NO\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60008
                                                                                            Entropy (8bit):6.477288189346955
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:/O9NAXZqHGnAfUPOMnwjxNK0/84Z1aBBX2dulK0rEyKpFbFK0qA5/0EikMqsjz3X:G9NAXZqHGnAfUPOMnwjxNK0/84Z1aBB7
                                                                                            MD5:0060BF986FE2F438507B2D8726406384
                                                                                            SHA1:25996C7B6C49A8554413FEAEEB944ADCA570B936
                                                                                            SHA-256:F376F3B31E296801504C86EA92AA1A593D611805311E7E7710770FACE1A77AEA
                                                                                            SHA-512:90E4B18611FCF5DCC83B077938A43283AA82239EC27D269ABA481F119FC394298985DB5E13D5616EB0F3E418F592526E56230E39036465F524C0D8FA29F681C4
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................b.....@.................................h...S.......................hN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..@...........................................<..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\nl-NL\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61024
                                                                                            Entropy (8bit):6.460625681397577
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:fO9PR9q4u0ayE7tbVTGDyl5lr41AcUV3tbUe1FdFYWssYYzTRo+0W+zmtq6+D+rs:m9PR9q4u0ayE7tbVTGDyl5lr41AcUV3I
                                                                                            MD5:37330ED5EA5EA01771D413C98FC32B7E
                                                                                            SHA1:AA17C3B714F4550917A042F483054121B13B17A4
                                                                                            SHA-256:C96FE685D8DD9A0BA9ED3B843FB69DC6722B179B765E028BE695AD1D8E06ED0C
                                                                                            SHA-512:FA7DBC099A56690259C3B37E63A2C6A8D3543AB1058F27714D659FC3FAA827C1A960DC84CB2349CA6B24676FF3575AA61C8EA7D608FD5A5CD63024D6D74DF04D
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................}.....@.................................P...K.......................`N........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......x...............P ..&..........................................."..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\nn-NO\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60008
                                                                                            Entropy (8bit):6.484690147146799
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:LO9NlqiUFxfhZjVqvA/hIlCsOdLM0SB3b6RCJmwc3fF1p3Ruoh9lF7+TmuB/BYSs:S9NlqiUFxfhZjVqvA/hIlCsOdLM0SB3s
                                                                                            MD5:BFA3524BA2302E078FC4BB315DFAEF36
                                                                                            SHA1:5B1DE08A1DD25F1E8A227AEF0FDA478C6C2B3D2A
                                                                                            SHA-256:9C27243B849F4AEAE152B08728731529314F03B32B5B447197914BB134E67A9D
                                                                                            SHA-512:FF0DA53C5DA977AAA2FED565F3BFBEA44E0E8D14E101F9E9CE0E49747CBDC69CD53CDB1AF68A756D28424499A80FE576A2B3FFF5DFE962A48134AD9B69C6C9B7
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................................@.....................................O.......................hN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\pl-PL\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62048
                                                                                            Entropy (8bit):6.499608570162744
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:lO9YM3z1nR8zMuKIJycvcygytrpu8hYGNNxYjEF9dmPTKgMsGRis0xEikBmsTC4y:w9YM3z1nazMuKIJycvcygytrpu8hYGNG
                                                                                            MD5:46CA3125CEFAA641DCEEC37735E99857
                                                                                            SHA1:7479ADEE6400FC727B99647E1393F0BDEDD76FE7
                                                                                            SHA-256:E91C7D8291B548B0C87A8DBF5BA4AC48B070A71EE2624177F40B059A8E920ACD
                                                                                            SHA-512:D6CBFEC4B65328162C295C85142676BD87B0EDCC27016FAF53ABE0391E5586244CE95CC8DC5E7BF35282DA6753B89E18702D5ED2ED654E3E566301A546F0C2C2
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ...................................@.....................................O.......................`N........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..b...........................................^..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\pt-BR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.481733244293592
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:yO9PD+Ztk6ONWg3iynOs5U1jkFhKwKH/PIPq7tzZtq93YcZ8+gGxlEik6nsyzSZL:b9PD+Ztk6ONWg3iynOs5U1jkFhKwKH/P
                                                                                            MD5:754393FD72CE7072C9D1CFB811BD6890
                                                                                            SHA1:09C0FA677E62AE7B73C9227199D73E8E1D3781E9
                                                                                            SHA-256:2104377F7A6D91954814982B2D01D8FB1387242348752B4D74F8DC51CDA3DCCE
                                                                                            SHA-512:2D13331E6E3CEBE88F5904506E766AE914216846BD86437E0064027C79A228B1A825167AC85AD7CF9B0E2A3184483D54E04FD3F760849A5EE95490E535AF72F1
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ..............................L.....@.................................|...O.......................HN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..Q...........................................M..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\pt-PT\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61032
                                                                                            Entropy (8bit):6.4636076325119385
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:EO9P3hKCp6OYLZur7K/Wwtzx9RA8YGsBo4bUxOhTeiuQKYGasX2iBEikQqsnzJAS:x9P3hKCp6OYLZuXK/Wwtzx9RA8YGsBod
                                                                                            MD5:5FF2A9B976FAA2D6D77DED84DABB4F23
                                                                                            SHA1:BFEB0050B14BFC5B19387A5B97E33B75A3810921
                                                                                            SHA-256:79E68866A498DCD35F2B6E7034E41DAE5C4C941B8DE68129D95E42A5F1635921
                                                                                            SHA-512:3B40156578215F3E41D3D03D6ADE09C4E1171B9A13EA8A9A918BE8CABBBB1D537964A2715FB0A10A8F74D20D7D096DF0173CBA62EF849436057B6B17093727B6
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ..............................FK....@.................................t...W.......................hN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..K...........................................G..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ro-RO\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.491906435239392
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:uO9PchEfYkIl57Dr3w8Zw9XS+xd2XHsdlEhm5AtmxhG7TcFzCQOnIxEikTQsUpzx:H9PchEfYkIl57Dr3w8Zw9XS+xd2XHsdP
                                                                                            MD5:210D110E8FD4556BB6D5BADD157FDFAC
                                                                                            SHA1:BFB4682C6C53208F17D29DF7C893EAAC8B2FFC45
                                                                                            SHA-256:CE1F0922E083915A2FD9F386ED239CAC7EB7BD22D5F3646C89EBB43C59EABA92
                                                                                            SHA-512:B09F834515872D35EC304116AF38EAD505DD4FAC8CB8689E770EE11DB706D73A06DE59999D376078B5869BDB592A6450C0479F4F183134EA6E971937D28A685D
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................................@.....................................K.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\ru-RU\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):65096
                                                                                            Entropy (8bit):6.5757659638547805
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:7O9MFcYvxELwVgZIvKsk24cxu1XVwNCMRTid1j2rIgfdqI5TOfHtUw8EikGGUBsR:C9MFcYvxELwVgZIvKsk24cxu1XVwNCMi
                                                                                            MD5:DAFF6FAD7BF7BCF89E924BCBB58CF945
                                                                                            SHA1:D87DA98D42A22B1F4BFE3F67194B163FFB28BC01
                                                                                            SHA-256:EE645F8D963A3143414F09C96149C39076B768B537A64EC0193D416B96A7147D
                                                                                            SHA-512:C107F4616D81F83809CFA1B186E2303E958B0608EED4675153630312D8FF2826C28EF2075F072D7028149792B4CFA5E62261FD0C6971FD5B0E286BE88CA2F686
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................... ......_.....@.....................................O.......................HN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..a...........................................]..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\runtimes\win-x86\native\WebView2Loader.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):120392
                                                                                            Entropy (8bit):6.600820147251668
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:kkutiJKARK95EvS8BBwwgZqoc5+TiEt9XS3RMlyTI:kJti4WZBBdZEt9Syld
                                                                                            MD5:D98053D49BFE481CBC394439879278BE
                                                                                            SHA1:53DC39C37D780D5D5CB3D341C77A304919362BBC
                                                                                            SHA-256:25D0F56DF1146C34F59D291B62E34608D2F7451D817EFFE5E94147CF182ECF41
                                                                                            SHA-512:3CF06146E31574D3C13C13CB6D887C3D66C5E4C47E3291C2B4F3D7F196786668BF257702A8B6D9047BFC986784EF756ED9B1048CF3C9058C129588C19E3F61C2
                                                                                            Malicious:false
                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......a.........."!.................;....................................................@A........................M_......?`..(.......................HN..........D\.......................Y......`................a..<....]..`....................text...o........................... ..`.rdata...n.......p..................@..@.data........p.......`..............@....00cfg...............j..............@..@.tls.................l..............@....voltbl.H............n...................rsrc................p..............@..@.reloc...............v..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\sk-SK\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61536
                                                                                            Entropy (8bit):6.523136812660269
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:ZLO9gebhHq+ugsPXU6d/ic7SFgw0FAAgWwUT/8IS5RhOYPi5wt7D/TEikbss5zqJ:o9gebhHq+ugsPXU6d/ic7SFgw0FAAgW2
                                                                                            MD5:E7991B70C6B77FEA9A62C4F8D7530431
                                                                                            SHA1:CAE5F8E620566A0B88BEBB652CA05B6D488BD336
                                                                                            SHA-256:9D57733FF03F65B3772E594C2B724516AAE07B36D278D95551ED0CF9C8E3FB0A
                                                                                            SHA-512:1DFBC4E3D3DF1F096329CFAB20AF3DBE004914389723B72C0FD6C64524FCC0A62D00C9E1970E3AD4EFC5D290E1C3E3270835DC9DE833FF6DF42F8C935F75F1D7
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ....................................@.................................t...W.......................`N........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..K...........................................G..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\sl-SI\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61512
                                                                                            Entropy (8bit):6.479386821033209
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:SO9mF2xWvZr5ttPBV5ramm5IgejsnMniPqhm+HFZUI8L0CmJ67V86o1n7EikSlIo:79mF2xWvZr5ttPBV5ramm5IgejsnMniu
                                                                                            MD5:59B16C3C894BE415C7898631A56875B8
                                                                                            SHA1:936B5488D3FA4A719DDB23E77349990F0B608B6C
                                                                                            SHA-256:ECA7D7BEF9C766B58D52A9397950DFD255FD7CEEB6AD7F8A6FE40ADF8F4076C6
                                                                                            SHA-512:3EEFD8BD4E3DBDE781211E21EE7D94ABC1B315DAB170AB6B7C54F50DD8F08423D89F3D31E72EAF55ECCD72F02B8C87CED43D6E0BA93EE9D5F737BB02BC2B009D
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!.................... ........... ..............................Fm....@.....................................S.......................HN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..^...........................................Z..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\sr-Latn-RS\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60480
                                                                                            Entropy (8bit):6.4782272527779154
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:sO9ADvQ094ML8I+w2zbtseqNaio1KHc4hUyFE4RlxgCwXVn03mO0OHc0EikbLs7h:Z9ADvQ094ML8I+w2zbtseqNaio1KHc4N
                                                                                            MD5:7A93FD8F03D33164125609576B16F7D3
                                                                                            SHA1:4E9A26CC292F32C46E7AF980138459BB54FCB5FC
                                                                                            SHA-256:7E77C6DB4E49369E22745AFD1902D43B69B63EE3904C98092325101E8E175425
                                                                                            SHA-512:5A7120AE9518A7DC17378589770C65EBB2500F49ECD61810CFCBEB92598A3A1B0759416063CC323F45A7F9F8C62EA8A5C652D29C7D61124F54C9A99CD9AC227C
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................>.... ........... .............................._T....@....................................K.......................@N........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................ .......H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\sv-SE\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):60488
                                                                                            Entropy (8bit):6.465184220792856
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:WO9NbIMAwsK92xi/p6ZCXczFy597Zh3ndpqW7A7MlN9XXW0LlTcE56fvEiknAs3E:v9NbIMAwsK92xi/p6ZCXczFy597Zh3n0
                                                                                            MD5:EE967F32CA275BFD2ECCCC4E7DF8B2A8
                                                                                            SHA1:ECABCA1D011A740F7BD4A70455BAC993ADE65558
                                                                                            SHA-256:3752413BF675863D6907E3D28CEE268F21F23DA7D867B03316593A93AD9342E1
                                                                                            SHA-512:4CAB44A67A27A5D6DF49DC2DFC90B6445E7B1C42E8C877B77B56850EEB5CF15467D14956F2E549CF34DC2E806040DE7D1653A1E73371CFCB131C51C29B1C8E4F
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...................................@....................................O.......................HN........................................................... ............... ..H............text...4.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\th-TH\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):70240
                                                                                            Entropy (8bit):6.439305964283473
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:5O9f4A05v/3yGE0k4otwhknztUWCH34BsBrs+9XgaCTK6pO3/SNmKuREikFrsFaB:E9f4A0533yGE0k4otwhknztUWCH34Bse
                                                                                            MD5:6427DDA9F993898603DE50DDE1528754
                                                                                            SHA1:4737D69D4F8386C120DDA5A3718C31A7EB061453
                                                                                            SHA-256:90951B5F5A58E50E3A1068FA9DD30D30F8257FC27D1586DC66EDC174559FE529
                                                                                            SHA-512:B4925822276FDDED78553828384EA1A9016B49EAB38116FF0DC9748DA3DB1EEE5349C67586466BFAC29C8CDB1B10A4735ECD72E80A6AC427EFD834FC05B3623D
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ....................... ............@.....................................O.......................`N........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\tr-TR\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):61000
                                                                                            Entropy (8bit):6.505132466289463
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:lO9gSA64YW8K4MZQ00EOS4Lhq4YFfmKAZ2tWD5WtcRxzkebFbrLyXPEik6ms4pzd:w9gSA64YW8K4MZQ00EOS4Lhq4YFfmKAD
                                                                                            MD5:E1C23198DA9715C0D8814AA42AD73F8E
                                                                                            SHA1:CC56B69059EF89A9CE9507E9B71557C7FAF3EE86
                                                                                            SHA-256:FC03EF162F1247354449D8B7CA9A0975A692E4C2571078BB00275EC40FB4DFF9
                                                                                            SHA-512:5E4CB706ED60D7F20B5587D4D48F9634AA770BC6D482F380100B264C1ADDDA152D19E174DC1FFD7D1446A180DD805CDA4180C4FBC814C6D547606FE33FB2F870
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...............................q....@.....................................S.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\uk-UA\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):64584
                                                                                            Entropy (8bit):6.578204708909461
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:eO97noksNVY4yQM8s8KU9oTU9j6qImAdgM3XRPW+292RK/1BI3HkkKajWhEikvri:397noksNVY4yQM8s8KU9oTU9j6qImAd4
                                                                                            MD5:A788D43CA80284DE4B1F4BE99260CFFF
                                                                                            SHA1:3399A53E1D923C8FF17A7B1708CC80976F205CCF
                                                                                            SHA-256:A54192AC15BB6BAD9BFD1E0A1A958A768A7D2D942E489B4246A0A8D6194E6287
                                                                                            SHA-512:3ABB11B0623A93C9EB4C654B9C8D7DCD9DC2BAA5DAE4B14ED86212C4F9B710F76E438140A405498F2A4AB44748ABF113CE50282BBD0B0483FB80368822142BA4
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!................n.... ........... ....................... ......._....@................................. ...K.......................HN........................................................... ............... ..H............text...t.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................P.......H.......H...............P ............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\vcruntime140.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):87112
                                                                                            Entropy (8bit):6.939400200256647
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:0Ihq3RcCBwca4EZEXNciFk+ikPCpecbi/snazkZLzwN3A:0IY3RcCKcajodF4pecbi/78Aw
                                                                                            MD5:BCAE3BAF0F089D495EBC8AEB278244CB
                                                                                            SHA1:30E9D618650A9130743D44702B56D48EEFCDFC73
                                                                                            SHA-256:6D6CD9AA3A3538F5C37A2BFDDCA9FC293AC3C05A4E708257BAFE2EB1AE49F1C6
                                                                                            SHA-512:D76D22999BC7D79F4CC99FC3185CA074B8A3554412C5889BBD4497B1F2774761612791CBA4E58BCD97A38367AEB701ADCB0C5E249E0D3CFF005B19E78534AC49
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........|R.|...|...|..%....|.......|...|...|.......|.......|.......|.......|.......|.......|..Rich.|..................PE..L...t%.`.........."!.........................................................@............@A......................................... ..................HN...0.......#..8............................#..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\vi-VN\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):62024
                                                                                            Entropy (8bit):6.590924628799334
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:lO9gwu6Q6WwlEaDcQwi2kBPcJ5kGvxF825mb6ZB+D31jnVJvWf6Qjlux6mnEikSz:w9gwu6Q6WwlEaDcQwi2kBPcJ5kGvxF8b
                                                                                            MD5:2C89412B5843494388D50CBC904074BD
                                                                                            SHA1:41B85F801196AAA600B3B151CF9D92B837580BCE
                                                                                            SHA-256:9874B9B27E20695019D48F72700D973258E89909D6606FCA6E72B2F51E9F62FB
                                                                                            SHA-512:180AA2AFDBEAC3FFD6509B6AB3EC9D436AB07324D690A3AFF18E977BE9E3046FD8E07A06024976A425A00EC28C1373786E95A74EBB24FC41623851BE2C34C447
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................4.....@.................................H...S.......................HN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......p...............P .............................................................lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\zh-CN\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):58952
                                                                                            Entropy (8bit):6.660184048742961
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:iO9WbWCHB/rkbEqBAVidKSlcZSI3+B0ncFytfjCqpXFBwW8jeFLt8EikfBsl3z++:L9WbWSB/rkbEqBAVidKSlcZSI3+B0ncB
                                                                                            MD5:2143E5B5A9E66E73DC29FB4E455C7F29
                                                                                            SHA1:0A92DA431F4C9AC788DBFD5E99F0CB2B0AA7EEA0
                                                                                            SHA-256:7CD1B59BE13DA24CA6881FF41076C37DE6182D636E72CFBAD7BD4C5FCEFC77A1
                                                                                            SHA-512:D98C74DF96125C5EDCFA1C06E127DF75584D7778C739728E10BB3C857503FA526FE6309D45749C3DDFBADD9EFFE472C57EF78ED05DCB8A554BFAA6A64BB01F0E
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ..............................yy....@.................................d...W.......................HN........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......................P ..9...........................................5..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\meeting-addin\1.0.24151.1\x86\zh-TW\Microsoft.Teams.MeetingAddin.resources.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):59496
                                                                                            Entropy (8bit):6.636021348116236
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:yO9WbWqDTFAyR6j4hxW50IEdIhR2Ji1paNSh0CvJaCuXaSQCHM7IXzDEikhBsm8i:b9WbWqDTFAyR6j4hxW50IEdIhR2Ji1pv
                                                                                            MD5:1F0BE9447A686B051BDB75E34F0C8EF4
                                                                                            SHA1:ED8B0B02E54334211D1DAB4E3215EDA1C909F0B5
                                                                                            SHA-256:C6D50C31D3AC401DD787B7C9711969988EB552F7633B3D243800380470DDC78D
                                                                                            SHA-512:2A6E73DAF00542959B3BA61B07AF8B58EF3008ACE112D277CF479060961DB59708D7FF53B27CCCEB54A2BA682DEACB5152B7F0B97625847A93554D24B7A26C36
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Xf...........!..................... ........... ...............................{....@.....................................W.......................hN........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H......................P ..|...........................................x..............lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet............hSystem.Drawing.Bitmap, System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3aPADPAD"$......f.".g#.....y..?......J..;..........0z......q...gI........T.t...H2X..B...........g'.....<;..u.{.9...7.....'.V.

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\node_modules\azure-devops-node-api\ThirdPartyNotice.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:ASCII text, with very long lines (1307), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):41984
                                                                                            Entropy (8bit):5.201982275359006
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:OvEgPC779Lcs9Lu9L+y6zd9LT9Lt6lxUpdnqmPxtDvI+AL99La:OvEgPC779Lcs9Lu9L+y6zd9LT9Lt6lx6
                                                                                            MD5:C97F02AB4F740BF448FE7F26E11A9C07
                                                                                            SHA1:FC9B0894FEBAD42AF6E2C4C004FF09D069A7AC87
                                                                                            SHA-256:18241A235903945E163BC9DAE8C5C98ADFAAEB8299A16A6BDCC07A9690DA6237
                                                                                            SHA-512:380CD64F241E01FE2ACE06129A094C8B409B568081716596016D6D754BD4B31280FD712C66F975A158767BC02BB053EF8FB3848A67E186B61EB20A246D7D4F17
                                                                                            Malicious:false
                                                                                            Preview:..THIRD-PARTY SOFTWARE NOTICES AND INFORMATION..Do Not Translate or Localize....This Visual Studio Team Services extension (vsts-task-lib) is based on or incorporates material from the projects listed below (Third Party IP). The original copyright notice and the license under which Microsoft received such Third Party IP, are set forth below. Such licenses and notices are provided for informational purposes only. Microsoft licenses the Third Party IP to you under the licensing terms for the Visual Studio Team Services extension. Microsoft reserves all other rights not expressly granted under this agreement, whether by implication, estoppel or otherwise.....1..@types/events (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..2..@types/glob (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..3..@types/minimatch (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..4..@types/node (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..5..@types/shelljs (ht

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\node_modules\typed-rest-client\ThirdPartyNotice.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:ASCII text, with very long lines (580), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):74541
                                                                                            Entropy (8bit):5.250992941278589
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:+NEYOPC4tF9FT9Lcs9LmC3f9L+y6zLliyAmMQ/oTjv9LexV59Lt6g4Ngx4Gv+Xvt:39R9z9J9iyXy+989x4Kx0E92
                                                                                            MD5:68B616FD8348061E77780E52930B7605
                                                                                            SHA1:333148FE8249F6B5EFAC2C5B10C29C85750428AF
                                                                                            SHA-256:BB176225E4E1C521104A80952BC4E2D43FD1A400CD54619613D2243F944142BB
                                                                                            SHA-512:EA96C1DEAC2718D59A3573482E6FD5C6637E962633EFF4110745EA22E9257FC7F0DD3F49D104A791E45D2B2F09DB5024210A04BD3E3288945BEBF67370AB64FE
                                                                                            Malicious:false
                                                                                            Preview:..THIRD-PARTY SOFTWARE NOTICES AND INFORMATION..Do Not Translate or Localize....This Visual Studio Team Services extension (vsts-task-lib) is based on or incorporates material from the projects listed below (Third Party IP). The original copyright notice and the license under which Microsoft received such Third Party IP, are set forth below. Such licenses and notices are provided for informational purposes only. Microsoft licenses the Third Party IP to you under the licensing terms for the Visual Studio Team Services extension. Microsoft reserves all other rights not expressly granted under this agreement, whether by implication, estoppel or otherwise.....1..@types/glob (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..2..@types/minimatch (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..3..@types/mocha (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..4..@types/node (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..5..@types/shelljs (htt

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\tmp\Teams\resources\ThirdPartyNotice.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:Unicode text, UTF-8 text, with very long lines (2046), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):428822
                                                                                            Entropy (8bit):5.141739584920708
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:HjmBzNKKure0HkBfcFZW879xhX2myXNH+Z/W13p8:8hBm
                                                                                            MD5:6ADF177E37C04AFEB5C507B0C0A05EBB
                                                                                            SHA1:034C04E0868F37792B6786482316EEBF31B40C47
                                                                                            SHA-256:C0A3D2EDBC9F8965C184633FED2CA1FEAFF25C93372F80A63C80AB2344DBD918
                                                                                            SHA-512:A4F7BF9198A6327A90BA7027E2B41D1B10B48FA34C5857CD11B78BFF377C287669AC9DD933F25AA623405930714EEDD0033497C79DCF305A6F9D7888E2AB20FC
                                                                                            Malicious:false
                                                                                            Preview:THIRD PARTY SOFTWARE NOTICES AND INFORMATION..Do Not Translate or Localize....This software incorporates material from third parties. Microsoft makes certain..open source code available at http://3rdpartysource.microsoft.com, or you may..send a check or money order for US $5.00, including the product name, the open..source component name, and version number, to:....Source Code Compliance Team..Microsoft Corporation..One Microsoft Way..Redmond, WA 98052..USA....Notwithstanding any other terms, you may reverse engineer this software to the..extent required to debug changes to any libraries licensed under the GNU Lesser..General Public License.......(OpenType Sanitizer)..undefined <https://github.com/khaledhosny/ots.git>..Copyright (c) 2009-2017 The OTS Authors. All rights reserved.....Redistribution and use in source and binary forms, with or without..modification, are permitted provided that the following conditions are..met:.... * Redistributions of source code must retain the above

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\tmp\Teams\resources\node_modules\azure-devops-node-api\ThirdPartyNotice.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:ASCII text, with very long lines (1307), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):41984
                                                                                            Entropy (8bit):5.201982275359006
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:OvEgPC779Lcs9Lu9L+y6zd9LT9Lt6lxUpdnqmPxtDvI+AL99La:OvEgPC779Lcs9Lu9L+y6zd9LT9Lt6lx6
                                                                                            MD5:C97F02AB4F740BF448FE7F26E11A9C07
                                                                                            SHA1:FC9B0894FEBAD42AF6E2C4C004FF09D069A7AC87
                                                                                            SHA-256:18241A235903945E163BC9DAE8C5C98ADFAAEB8299A16A6BDCC07A9690DA6237
                                                                                            SHA-512:380CD64F241E01FE2ACE06129A094C8B409B568081716596016D6D754BD4B31280FD712C66F975A158767BC02BB053EF8FB3848A67E186B61EB20A246D7D4F17
                                                                                            Malicious:false
                                                                                            Preview:..THIRD-PARTY SOFTWARE NOTICES AND INFORMATION..Do Not Translate or Localize....This Visual Studio Team Services extension (vsts-task-lib) is based on or incorporates material from the projects listed below (Third Party IP). The original copyright notice and the license under which Microsoft received such Third Party IP, are set forth below. Such licenses and notices are provided for informational purposes only. Microsoft licenses the Third Party IP to you under the licensing terms for the Visual Studio Team Services extension. Microsoft reserves all other rights not expressly granted under this agreement, whether by implication, estoppel or otherwise.....1..@types/events (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..2..@types/glob (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..3..@types/minimatch (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..4..@types/node (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..5..@types/shelljs (ht

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\resources\tmp\Teams\resources\node_modules\typed-rest-client\ThirdPartyNotice.txt

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:ASCII text, with very long lines (580), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):74541
                                                                                            Entropy (8bit):5.250992941278589
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:+NEYOPC4tF9FT9Lcs9LmC3f9L+y6zLliyAmMQ/oTjv9LexV59Lt6g4Ngx4Gv+Xvt:39R9z9J9iyXy+989x4Kx0E92
                                                                                            MD5:68B616FD8348061E77780E52930B7605
                                                                                            SHA1:333148FE8249F6B5EFAC2C5B10C29C85750428AF
                                                                                            SHA-256:BB176225E4E1C521104A80952BC4E2D43FD1A400CD54619613D2243F944142BB
                                                                                            SHA-512:EA96C1DEAC2718D59A3573482E6FD5C6637E962633EFF4110745EA22E9257FC7F0DD3F49D104A791E45D2B2F09DB5024210A04BD3E3288945BEBF67370AB64FE
                                                                                            Malicious:false
                                                                                            Preview:..THIRD-PARTY SOFTWARE NOTICES AND INFORMATION..Do Not Translate or Localize....This Visual Studio Team Services extension (vsts-task-lib) is based on or incorporates material from the projects listed below (Third Party IP). The original copyright notice and the license under which Microsoft received such Third Party IP, are set forth below. Such licenses and notices are provided for informational purposes only. Microsoft licenses the Third Party IP to you under the licensing terms for the Visual Studio Team Services extension. Microsoft reserves all other rights not expressly granted under this agreement, whether by implication, estoppel or otherwise.....1..@types/glob (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..2..@types/minimatch (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..3..@types/mocha (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..4..@types/node (https://www.github.com/DefinitelyTyped/DefinitelyTyped.git)..5..@types/shelljs (htt

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\snapshot_blob.bin

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):407384
                                                                                            Entropy (8bit):3.333475459817519
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:O/ycCzaMpI95BLgxJV4lW1OJY66c9xYtY/Pf:O6xar5Jq1O7Ku/X
                                                                                            MD5:9E9DD5228E99AD6CC47CF6A2520FAAD0
                                                                                            SHA1:084008A5441E576457749C48B97C542E75FF82A9
                                                                                            SHA-256:02C1D3ABBDA8F7E5FAAA02555F9B20D34E3B5DCBC81E3F450C0EF532F5407BBF
                                                                                            SHA-512:FB66406C29FD2A7C76E190239757909C784992EBE0F2C1905B1EB7C485CBA4C23BDEA58E3270B8206309BB2B748BBE4D528570042E87E67CCF0FAECD2A72F96B
                                                                                            Malicious:false
                                                                                            Preview:..........).10.2.154.26-electron.0..............................................Xu..8...b...H...a........a........a........at.......a........a.......... ......`H...D..W.M...W.....W...D. ....`H...D..W.=...W.....W...D. ..`H...D..W.M...W.....W...D. ....`H...D..W.M...W.....W...D. ..9.`....D..W.A...W.....W...D. ..i.`H...D..W.M...W.....W...D. ....`H...D..W.M...W.!...W.!.D. ..`H...D..W.M...W.%...W.%.D. ..`H...D..W.M...W.)...W.).D. ....`H...D..W.E...W.-...W.-.D. ..`H...D..W.M...W.1...W.1.D. ..`H...D..W.M...W.5...W.5.D. ..`H...D..W.M...W.9...W.9.D.(Jb....A.....@..F^.....U`....`.....(Jb....E.....@..F^...`.....D.9.IDa........D`....D`....D`.......`.....D].......D`.......VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa............L`.....HD...%.D...L...........................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\ucrtbase.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1022560
                                                                                            Entropy (8bit):6.657712265319648
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:YOPJ1g7mT6BNvwTOxNfoYotrz1111111r8SoKxmxvSZX0ypdNLhR6:YO1aNoaxNfo/+ao
                                                                                            MD5:1D84140F287B0AF40150FD4B487A5CE7
                                                                                            SHA1:51798B86B47341FE99E840477F0894372D06ABD2
                                                                                            SHA-256:841FA4499144C3C94C1696F9446974C5BA780ED027EC259BBF006FB259E2C571
                                                                                            SHA-512:5CCBE7E5AB0F1CD69341B288D52ED301B66D85DD2C16E58338A8ED8AF7D0B1D36128450A27AE3B44B6B49DEAF3AB7811DB80B53CC5D408D74BB3CC63E0556A3C
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Qp...............ib.&...........Ny......Ny......Ny..$...Ny..H...Ny..-...Ny..^...Ny......Ny......Rich............PE..d.....\.........." .........F.......6..............................................(C....`A........................................p.......d........................L..`N...........i..T............................2..............h`...............................text............................... ..`.rdata...t... ...v..................@..@.data....$...........|..............@....pdata..............................@..@.rsrc................<..............@..@.reloc...............@..............@..B................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\v8_context_snapshot.bin

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:data
                                                                                            Category:dropped
                                                                                            Size (bytes):730800
                                                                                            Entropy (8bit):4.678174904396932
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:N3cjYbWpwVjYj10yoTYZrmYdQyKeTRj9LigEkVMXsmTDZbt5X4bn:0YnYjXF5/9CsmTZt5XWn
                                                                                            MD5:067B049CF02325F2BA017887051BEE31
                                                                                            SHA1:AFC4FD114D6A34891FB23F043AA99AFAC6DD8E63
                                                                                            SHA-256:B604041F85FB693F130BF0AE60CE83EBFCA56371CEC261085620E56AE93AB591
                                                                                            SHA-512:F9948E9F65BA6D86AE4FE6EC407FB393A05CB28C100A7638127572AB1C18BE2B4333F619472C3A19EB19337739C10A79BA04325A555442AB35CFF0B6E8847904
                                                                                            Malicious:false
                                                                                            Preview:........).3.10.2.154.26-electron.0..........................................x...(....P..@.......b.......a........a........aR.......at.......a........a.......... ......`H...D..W.M...W.....W...D. ....`H...D..W.=...W.....W...D. ..`H...D..W.M...W.....W...D. ....`H...D..W.M...W.....W...D. ..9.`....D..W.A...W.....W...D. ..i.`H...D..W.M...W.....W...D. ....`H...D..W.M...W.!...W.!.D. ..`H...D..W.M...W.%...W.%.D. ..`H...D..W.M...W.)...W.).D. ....`H...D..W.E...W.-...W.-.D. ..`H...D..W.M...W.1...W.1.D. ..`H...D..W.M...W.5...W.5.D. ..`H...D..W.M...W.9...W.9.D.(Jb....A.....@..F^.....U`....`.....(Jb....E.....@..F^...`.....D.9.IDa........D`....D`....D`.......`.....D].......D`.......VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa...........VIa............L`.....HD...%.D...L...................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\vccorlib140.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):344648
                                                                                            Entropy (8bit):6.03471108045702
                                                                                            Encrypted:false
                                                                                            SSDEEP:6144:OaGpFE+VAtdoFb6/FrlBu+MbNNSUgzCZXdbQ2P:Oaf+VHFe/dlBqKUfQ2P
                                                                                            MD5:B50AC3B8BC02A3667BB946BB4BDD454C
                                                                                            SHA1:960713D139716B9DCF7CA84772F403566485ABC0
                                                                                            SHA-256:0B526C2204B0B965B68C32F5E27E05DF6EB711D42406745CFFE461EF4F0EDD06
                                                                                            SHA-512:40F3A08A3FE02F6E0F7599E8DD0ED5321C093B9BE114D4C271F5D7F87F2AF0EF475ED0B5C200BC4F2BBEA3C9F309865FD7508DA869E9604F99EEAC00D6EE03CE
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H..H..H..0|.H...2..H...2..H...2..H...2..H..I:..H..H...H...2..H...2..H...2..H...2..H..Rich.H..................PE..d...I9............" ... .....p......P{.......................................0............`A.............................................>......,................ ......HN..............p...............................@............................................text...6~.......................... ..`.rdata..n...........................@..@.data........ ......................@....pdata... ......."..................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\vcomp140.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):191552
                                                                                            Entropy (8bit):6.458687634266454
                                                                                            Encrypted:false
                                                                                            SSDEEP:3072:wBFccDm4XHgWExRgn+PywAjWxxIvU9e1IOdP0tTLuoQzmxadCp3S:OCR4XHmxRgtjAa8wfW62aWi
                                                                                            MD5:4678590F6D931EB7FFFCDA1416BF9E08
                                                                                            SHA1:A7249DA03AEEF44275EED224978A6B9FAE390E1C
                                                                                            SHA-256:B6B0BD3017F3460494DE7E4DCF7FD4F4A6556ADFA87DE84566753CA2BB124541
                                                                                            SHA-512:83B1F105D19B22FE7DCCEE4DC3C4C8602F3C7554A5113EEE7F32455A1164D560FBD4EA30124629C5105E657FE173B49C6B82290E426876B76A73C63C86CA6449
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L9...X...X...X...*...X...*..sX...*...X..h"...X..h"...X...*...X...X..gX..h"...X..h"...X..h"...X..h"2..X..h"...X..Rich.X..................PE..d......-.........." ... ............@h....................................................`A........................................._.......l..(.......................@N......0....B..p............................A..@............................................text...u........................... ..`.rdata..<...........................@..@.data....%...........`..............@....pdata...............l..............@..@_RDATA..\...........................@..@.rsrc...............................@..@.reloc..0...........................@..B................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\vcruntime140.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):108616
                                                                                            Entropy (8bit):6.640229553645366
                                                                                            Encrypted:false
                                                                                            SSDEEP:1536:CxhUQePlHhR46rXHHGI+mAAD4AeDuXMycecb8ifVpzOZaze:Cvk4wHH+mZD4ADAecb8YVpLS
                                                                                            MD5:9604E07A7F80BE45D8CBADF3238A9FFC
                                                                                            SHA1:14ACF199A7E3F9334E319C9CB0FD6C02CE1FCF54
                                                                                            SHA-256:210BA41F4AE7808DBFF12ED601889FCBB345D173DA48762B3D115D19E1C855C4
                                                                                            SHA-512:6DD9893250CD12B4E04A3386D9E38C05373D7ED8DC8D59F08BCFAA7B62FB7CE8619F84D248DAD899891E1B1F82103215ABC0698A5C0BFE9AE3652E374B9F8A08
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A.&k..H8..H8..H8.I9..H8...8..H8..I8(.H8e.K9..H8e.L9..H8e.M9..H8e.H9..H8e..8..H8e.J9..H8Rich..H8................PE..d....9............" ... .....Z......`.....................................................`A........................................0C..4...dK...............p..p....Z..HN...........-..p............................,..@............................................text............................... ..`.rdata...A.......B..................@..@.data...0....`.......B..............@....pdata..p....p.......F..............@..@_RDATA..\............R..............@..@.rsrc................T..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\vcruntime140_1.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):48200
                                                                                            Entropy (8bit):6.729562994683191
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:ohh4pTUUtmUwqiu8oSRjez6SD7wZ9zdgElK9zJAf:QJ9x70w7zdZ2zqf
                                                                                            MD5:0C2E22E8722268B739223C7CE150AB6C
                                                                                            SHA1:F894E5B3805E3E81801148CA1EA5ED3D3C5732B8
                                                                                            SHA-256:0AEFC52571581B4C9CAF809D376B950EB311F6E8E288F60DC48F07FC1EFBAE8C
                                                                                            SHA-512:D0EEDB68AF484683828B5C26A27250D191B0898DE36D519E65C42E0657BD82AF820071D0D616A98EAAF003DCE3891F4FB11E84C6CF5FE2E110190468E24830FD
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L......................h.........G.........:...h.......h.......h.......h.......h.+.....h.......Rich............................PE..d................." ... .:...0.......A..............................................i(....`A.........................................m.......m..x....................n..HN......D....c..p...........................`b..@............P..`............................text....9.......:.................. ..`.rdata..."...P...$...>..............@..@.data................b..............@....pdata...............d..............@..@.rsrc................h..............@..@.reloc..D............l..............@..B................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\vk_swiftshader.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):4779616
                                                                                            Entropy (8bit):6.28594493886557
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:rUEEwQrTMh3bo/PxQgtn0IK6W3NIIYl4R/3S+w8CjTiMH7vPF/14ZLGpS7rlykMz:Vy/5kd67MI9NBd
                                                                                            MD5:DCF41A64F238C3DAD53C96C30A6B78DF
                                                                                            SHA1:D776B30B040A6F684D35E41E2CAD66C17BE66B15
                                                                                            SHA-256:C1AEF81F1720FE7D51CDC082AF27888072DFAEFE79CB54191B092D418F3DC6C6
                                                                                            SHA-512:3C4F7E41A99AA4EBA2C56C05292AECB3A4AC4592B3015A8BB02CB2B2D2A1F7E0467DC851503C83E3AA83D4089746C40E377DEFFB8DD2277C5E66DB80A59ADC76
                                                                                            Malicious:false
                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......c.........." .....N;..J......@M4......................................0J.....{.I...`A.........................................E.......E.P.....I.......G.h3....H.`N....I.$i....E.......................E.(...Pa;.8.............E.X............................text...RL;......N;................. ..`.rdata...L...`;..N...R;.............@..@.data....7....F..&....F.............@....pdata..h3....G..4....F.............@..@.00cfg..(....0I.......G.............@..@.gxfg....*...@I..,....G.............@..@.retplne\....pI......(H..................tls....A.....I......*H.............@....voltbl.8.....I......,H................._RDATA........I.......H.............@..@.rsrc.........I......0H.............@..@.reloc..$i....I..j...6H.............@..B........................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\vk_swiftshader_icd.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):106
                                                                                            Entropy (8bit):4.724752649036734
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
                                                                                            MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                                                            SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                                                            SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                                                            SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                                                            Malicious:false
                                                                                            Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\current\vulkan-1.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):895048
                                                                                            Entropy (8bit):6.592707960432529
                                                                                            Encrypted:false
                                                                                            SSDEEP:12288:HPcsZ/i18O9zheQQZ7bjnfjaimmVBmJUAI0/bf1IohDX6G65:HPcL19F0QCn5VBKQmSgW
                                                                                            MD5:59609D418A0F3B0ECAD12AE3E4CDD103
                                                                                            SHA1:E0CC2B9F9BB2B9ADF837F268AEFEDF4E48496718
                                                                                            SHA-256:829B0595D3904EB6C6D32588AC6237749F38429A22155BDCF751D6707140CCD2
                                                                                            SHA-512:E045A66B096B8FBA1079192788EC13938B3ECD80244F888546C3C4B6C4E02555B74D88C3031B56BE0C82B6E8A37CC0EBE75685744FB2DC0F191C70119EF5B478
                                                                                            Malicious:false
                                                                                            Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......c.........." .........B......................................................=W....`A........................................0...@!..p...P...............Pg...Z..HN......<........................... ...(...P!..8............................................text............................... ..`.rdata..\x... ...z..................@..@.data....L....... ..................@....pdata..Pg.......h..................@..@.00cfg..(....`......................@..@.gxfg...`'...p...(..................@..@.retplne\............@...................tls.................B..............@....voltbl.8............D.................._RDATA...............F..............@..@.rsrc................H..............@..@.reloc..<............L..............@..B........................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\packages\RELEASES

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):83
                                                                                            Entropy (8bit):4.769794932794191
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:b2yLL8sXimxUoS/0FTADGLrGObn:pLL8sSRoS0vGObn
                                                                                            MD5:CE12FC52AB8D6B441448BE2479B2C26B
                                                                                            SHA1:521F0A48E7DCAB9E9FDF7DB9C0C66E51E4411124
                                                                                            SHA-256:7AC6BF7F5058227F9C23A1771BEA7A9CFDC995312AA6952D45C15132FC72483C
                                                                                            SHA-512:2F9E25C4AF5CD9E4661DC7185B24B42AADABB21698BC0B98B95F8FAC51A770E52B9D2B07BFF38A35F564E6172177D4E182A7F1EE7B89E030B288BE8D50F7E593
                                                                                            Malicious:false
                                                                                            Preview:.3232F40A817D02FCCC6BE97296C5AF94AD7A1F9A Teams-1.7.00.15969-full.nupkg 143249635

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\packages\RELEASES.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):26208
                                                                                            Entropy (8bit):7.105578621101084
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:YD8XDbCstLEpcR9z0K0Zo/NEHRN7XtG2R9zyvU6NrgP:DTPLEpw9zz0qAX8K9z9argP
                                                                                            MD5:6BB9D2EC6EA3BC899060AC1EBA3FBE62
                                                                                            SHA1:4021108420F61F94FB6F3C7C6A72285165707E03
                                                                                            SHA-256:F1AE951A1A481377E866C844484AC08D7F34280CF48DE94E317B21F879F4355D
                                                                                            SHA-512:CD67217B781E9DEE946BD94774C3277A5096F97BDA3874B096A8271F6489EE750B8BBB863738EA526C627CF0CAEB0E5CE16E6576031346840DB7316084340DD6
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...~..e.........."...0.............F&... ...@....@.. ..............................1.....`..................................%..O....@..D...............`N...`.......$............................................... ............... ..H............text...L.... ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B................(&......H.......\ ..`.............................................................*..(....*.BSJB............v4.0.30319......l...T...#~..........#Strings....l.......#US.p.......#GUID...........#Blob...........G..........3....................................................}.U.....U...5.B...........*.....*...I.*.....u...d...............................).....P ......%.....S ......<.............<.....<.....<...).<...1.<...9.<...A.<...I.<...Q.<.......$.....-.....L...#.U...+.a...3.....;...

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\packages\SquirrelTemp\tempa

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):83
                                                                                            Entropy (8bit):4.769794932794191
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:b2yLL8sXimxUoS/0FTADGLrGObn:pLL8sSRoS0vGObn
                                                                                            MD5:CE12FC52AB8D6B441448BE2479B2C26B
                                                                                            SHA1:521F0A48E7DCAB9E9FDF7DB9C0C66E51E4411124
                                                                                            SHA-256:7AC6BF7F5058227F9C23A1771BEA7A9CFDC995312AA6952D45C15132FC72483C
                                                                                            SHA-512:2F9E25C4AF5CD9E4661DC7185B24B42AADABB21698BC0B98B95F8FAC51A770E52B9D2B07BFF38A35F564E6172177D4E182A7F1EE7B89E030B288BE8D50F7E593
                                                                                            Malicious:false
                                                                                            Preview:.3232F40A817D02FCCC6BE97296C5AF94AD7A1F9A Teams-1.7.00.15969-full.nupkg 143249635

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\packages\Teams-1.7.00.15969-full.nupkg

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                            Category:dropped
                                                                                            Size (bytes):143249635
                                                                                            Entropy (8bit):7.997720883346693
                                                                                            Encrypted:true
                                                                                            SSDEEP:3145728:UPfX4U6yCCMje92AEdGaY3EvFv8y9F0BzrOeFYvFj:UPwU6yCCM9D40vFvvaBzLgFj
                                                                                            MD5:7DDB6028895226742967DDBE9471D569
                                                                                            SHA1:3232F40A817D02FCCC6BE97296C5AF94AD7A1F9A
                                                                                            SHA-256:9AB0AFB201BFD1E701B07AA287A39CA83E6A18D64DDD16664802001FDE3EAB94
                                                                                            SHA-512:8FB027AB14F17415B72D68EBE35E07CD7DD3EF986056899B252DDA6B70980A4E333BF3E90755A9735DE03A6CFD68808C1109CCADEA81F9A116F5B70333C73D28
                                                                                            Malicious:false
                                                                                            Preview:PK...........X..\.............Teams.nuspecuQ.N.0..#..U..-.LCY&..np.".m#.....I.t.e...=..Y.O.P.Rd....UU.....,~...z........hY..c...0..|..U]A....P..)...#.m..s.j.O.#kH...&L.6..T..}.jX..$N.Z.."#.(}.l>.o.[.S.V.\..gv..t....,....3..s..h.Jf....B.:$.I........L.0.........p..F.^%....i.......z.WD..z$..I.M<..b.n..Ym..[.....@:...?PK...........X....6...........[Content_Types].xml...N.0...H.C.+.28 ....../.%N.H.(v..q..x...$.......c....l........;y.ZK..$.c..\s'.....-.......Q.W.....U....2j......A...H...%...h...).x...(^ ...G.E..:....jW.hO....U%.>8..W.A...L.0.9#.......+.....h)..~...f..3/y.XxL.8..w........{.X..;...)r..F.g....fM>...8Z... M*..R..<..".w.u..........r.K...U._i..PK...........X...X./..H\..,...lib/net45/api-ms-win-core-console-l1-1-0.dll.|.TT....0.(..$K......s.A$.9.CF.(..%..$.J.J..EP...HFP..D..............^O.]]]].ouW...........a{......!.~..@v...RM...&T.!..........e..jg...f.E..|=X.=X.t.Y.=.B..D._x..&n-SE^..k..K.;.6.n...].m;.....t.'..2.b......u..[.......w.D{.)v....

                                                                                            C:\Users\user\AppData\Local\Microsoft\Teams\setup.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):37
                                                                                            Entropy (8bit):4.063335204640661
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Y1AohbpTZJ4n:Y151pr4n
                                                                                            MD5:F57CCF6F5B9C1E2AAC3C144605B53AA5
                                                                                            SHA1:97B96FB910D992E53C305CA7D93CBC396567B0F8
                                                                                            SHA-256:A92CCAA545B4AF7A81AC10C260291C3C33FB68197D150F8A42D1FBF74EB27648
                                                                                            SHA-512:D7959CDEFF648169F967F4F09771C1D6466929C8120D31064570CAB88F83D14041A4CC56F09019799770189F55CCAE89AAD18BF40AC788A717CB1ADE1F52F957
                                                                                            Malicious:false
                                                                                            Preview:{"--exeName":"MSTeamsSetup_c_l_.exe"}

                                                                                            C:\Users\user\AppData\Local\SquirrelTemp\SquirrelSetup.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:Unicode text, UTF-8 (with BOM) text, with very long lines (1064), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):23087
                                                                                            Entropy (8bit):5.420330174086718
                                                                                            Encrypted:false
                                                                                            SSDEEP:384:p6m6hwXil6A6eY0RFbV2F6eNkZpAvOtt+tQDZANamAp:swXij/2F6e6aowpNQ
                                                                                            MD5:8A561E78CEAE558F889A59C2C9C59452
                                                                                            SHA1:5323AA8BCF6A59BD695970434B4428936FE52065
                                                                                            SHA-256:28C8E882D0A131B3A6F73B56089FEDA31F077C4B758E90933F3A41C1FAD3F00C
                                                                                            SHA-512:859103CB5BB7A0949CB006E8C33DA33DE5CCA311DC4CAC231E904B1E88BEE15228205B4CB9AAFA0B86C54A10483B96290D902C4B5508628AAA33DA1C19C514B1
                                                                                            Malicious:false
                                                                                            Preview:.2024-06-19 19:24:36> LogHost: Write failed...2024-06-19 19:24:36> LogHost: Message: Valid SendTelemetry key value found at Software\Microsoft\Office\Common\ClientTelemetry, value 1...2024-06-19 19:24:36> LogHost: Stack trace: System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\Users\user\AppData\Roaming\Microsoft\Teams\SquirrelTelemetry.log'... at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath).. at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost).. at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost).. at System.IO.StreamWriter.CreateFile(String path, Boolean ap

                                                                                            C:\Users\user\AppData\Local\SquirrelTemp\Update.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):2587536
                                                                                            Entropy (8bit):5.8722573216040965
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:n6vefAQban/ZfJjXQQ3hBe+tnAXaJsxh0YzCeSAeZ3G:n6ve4Q2n/ZfJLQWhBe+tnAKJy7CeSA5
                                                                                            MD5:8F0E958D7EF57D727ADCDA1C67C24C2B
                                                                                            SHA1:DA68956F5E16C2D76E87367487C2A82A6B8025CD
                                                                                            SHA-256:4955CC6E58049EF1E274F340C8425CC55B324278199C92AC0DE87DF05BFAD35D
                                                                                            SHA-512:BBC325E94390053AA6D667D1FE3869772E788370F5CEA9298FBFC8CFAB73392DB719F943C7E757693CB2AB80174B3FBEB40ED9B487B9CCF5CC748BCC6AD85558
                                                                                            Malicious:true
                                                                                            Yara Hits:
                                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, Author: Joe Security
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$T.e.................z$..........$.. ........@.. ........................'......h(...@...................................$.K.....$.\.............'..M...`'...................................................... ............... ..H............text....y$.. ...z$................. ..`.rsrc...\.....$......|$.............@..@.reloc.......`'......,'.............@..B.................$.....H...........................X.............................................{....*..{....*..{....*r.(......}......}......}....*....0..S........u......,G(.....{.....{....o....,/(.....{.....{....o....,.(.....{.....{....o....*.*..0..K....... .A. )UU.Z(.....{....o....X )UU.Z(.....{....o....X )UU.Z(.....{....o....X*..0...........r...p......%..{.....................-.q.............-.&.+.......o.....%..{.....................-.q.............-.&.+.......o.....%..{......................

                                                                                            C:\Users\user\AppData\Local\SquirrelTemp\background.gif

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe
                                                                                            File Type:PNG image data, 440 x 248, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):8784
                                                                                            Entropy (8bit):7.902641651176422
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:BSJGHdn/Q+Uewe0x/JpeuIZTZzM6MEW+ZABCXTpETPK0hX:oQHdnId/JJSTZzM1MGCVETi0N
                                                                                            MD5:FF1F29DCA0451246C3CA6CB7B023434F
                                                                                            SHA1:B26BEA187F072D9A401B7FD06661492418B893EC
                                                                                            SHA-256:753D7D351E427246E2B6CC86C45E21F952939E306C3EB2FDB1BD7D67842C64B8
                                                                                            SHA-512:AD3D2BAC2ADA88CBA32567A5C2DC67C7B4E3A0D0834C262E577DD77BF3B38CD60B35DF72407CBEA256343CED449D9C7C01D0A6EE58EB8D1188695359F47E15F2
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR................k....pHYs.................sRGB.........gAMA......a...!.IDATx...}...}.....=.....A|.,.'....4"....&.h.EH..Dn.V...Vb...k..Z.......0....:nL!pK.p.R.U..c..%.G.<.).......fgg..vov../c.;..h>..~..M.8q.....&..8v.....'O..... ..8.@".p..D"....D........$....H$....H... ..8.@".p..D"....D........$....H$....H... ..8.@".p..D"....D........$....H$....H... ..8.@".p..D"....D........$....H$....H... ..8.@".p..D"....D........$....H$....H... ..8.@".p..D"....D........$....H$....H... ..8.@".p..D"....D........$....H......q..R).P...PCC.....?-.z{F.|k6t...dd..V...6...*...j.N.O.nRn.-.....~xnB6...?.h.|xo...-..X..;..?..[....0...n...&..~.GV.S.... ..J.~>)'..~.....;sr.........v.*G..Ux..q.._...d..hr.S.cL..2!.....*t..S...z9..q....X.......}.{.Ro....72#..G..e.1..R.f.(.\.......!..2.H.Z.()..<....1.......A+..._.~..=?%sssR....=....N$....e.>4-7o-}s.aG.]......z..k............ek...#..?.^.?..#.8..P.V<o.bZ........ykR....Ko.\......{.gw....&..w...4Q.%h.-e.[........=?"...

                                                                                            C:\Users\user\AppData\Local\SquirrelTemp\downloading.gif

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe
                                                                                            File Type:PNG image data, 440 x 248, 8-bit/color RGBA, non-interlaced
                                                                                            Category:dropped
                                                                                            Size (bytes):9016
                                                                                            Entropy (8bit):7.9037256871196355
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:BSHYMeY9ayCss7Db0cvhlCZMNvgKiMKEl7eJ1XDw65pz:obBlCsyDb0cvbCSmEo1XDvz
                                                                                            MD5:3488A1749B859E969C01BA981036FAB6
                                                                                            SHA1:A65B72461FA14C89FCE0D025E43454830A1F7972
                                                                                            SHA-256:C3FA333FDBCE95D504AEE31912993DC17AB31324428F557AC774F7E98B049B99
                                                                                            SHA-512:7363003422BDAABB7943439EE1E846867F0F3D0BAED3456424544A81989BD2D142A411CF982D90E4158314D410CD1A1A4EE33D8707219B4274CD2841705BCECC
                                                                                            Malicious:false
                                                                                            Preview:.PNG........IHDR................k....pHYs.................sRGB.........gAMA......a...".IDATx...y...y..gzN...=<.K.xX.Aj.....Ey..hd. ..#...+...Z..../v....v.?....Fd..S@....D..'...!eY!)96IY.g(..C..W.........k...k....]wu....}.:u..1G..H...q..a.. )..?.M..@..p..D"....D........$....H$....H... ..8.@".p..D"....D........$....H$....H... ..8.@".p..D"....D........$....H$....H... ..8.@".p..D"....D........$....H$....H... ..8.@".p..D"....D........$....H$....H... ..8.@".p..D"....D........$....H$....H... ..8.@".p..D"....D........$....H$....Hi.P3....K.R....8...>....iB~.....T.:..K...-..#...E.....T........\.6Ut].>}.....^....p.|bW........[.../.;.Vl.-...2...Q....e.Tt@.0.........Xq.........]9..hh.....p@.^.cD..gC26V.0..w.....7F....p@...t\...#R+'.?".....sC..e.>.o.oHj.......&.@..8.D.7..B..,.E.+.X333..2..P"..X..%..'g.>....!...h%..3../..g.ezzZ.A.R.>.5....{p@...&....o..>...q.oCsE..:w.C...A9......Y.by....-....d.}............MH\....w..@......;r..{.........i.;.u.....zU..IA.%P...|...i_..T....3..w.\(.

                                                                                            C:\Users\user\AppData\Local\SquirrelTemp\endpoint.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):344
                                                                                            Entropy (8bit):4.928890348969296
                                                                                            Encrypted:false
                                                                                            SSDEEP:6:Yr1VXl/H7n+D22e9TOXJatgKG9ik8N5KATrKG9iM8N5KATEEKG9i7kT8N5KATJP3:Yr1Jl/bn+DBetOXJa0ik8N4AHviM8N4H
                                                                                            MD5:677CAB9A8B50AD026CFA7625A35DD2D7
                                                                                            SHA1:236780C5FBF2D5607F7CB165549584C9153112A2
                                                                                            SHA-256:07890DDA20815E1E57DCA9553F5DFCFF1B85F4A4369685D4991599E2618978F0
                                                                                            SHA-512:D1863063926B405A6BADE3327CFDE25983D94E626D568ABBDBDFF9AE95E00061ED9CA80CC03A826C2144E4469A2734EA887A6C56AE0ED0CAF70CE0077D219162
                                                                                            Malicious:false
                                                                                            Preview:{"pdsEndpoint":"https://teams.microsoft.com/desktopclient/installer/windows/","fallbackNextGenAppPayloadUrlX64":"https://aka.ms/maglev-x64","fallbackNextGenAppPayloadUrlX86":"https://aka.ms/maglev-x86","fallbackNextGenAppPayloadUrlARM64":"https://aka.ms/maglev-arm64","getInstallerEndpointUrl":"https://teams.live.com/downloads/getinstaller"}..

                                                                                            C:\Users\user\AppData\Local\SquirrelTemp\setup.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):37
                                                                                            Entropy (8bit):4.063335204640661
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:Y1AohbpTZJ4n:Y151pr4n
                                                                                            MD5:F57CCF6F5B9C1E2AAC3C144605B53AA5
                                                                                            SHA1:97B96FB910D992E53C305CA7D93CBC396567B0F8
                                                                                            SHA-256:A92CCAA545B4AF7A81AC10C260291C3C33FB68197D150F8A42D1FBF74EB27648
                                                                                            SHA-512:D7959CDEFF648169F967F4F09771C1D6466929C8120D31064570CAB88F83D14041A4CC56F09019799770189F55CCAE89AAD18BF40AC788A717CB1ADE1F52F957
                                                                                            Malicious:false
                                                                                            Preview:{"--exeName":"MSTeamsSetup_c_l_.exe"}

                                                                                            C:\Users\user\AppData\Local\Temp\.squirrel-lock-4E861CBC71C79025D89DB98A08B04E6F531902A2

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:ISO-8859 text, with CR line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):4
                                                                                            Entropy (8bit):2.0
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:9:9
                                                                                            MD5:A7E0F8AC46398A7876D1E40DD52C2AAB
                                                                                            SHA1:B66922B4E6F09E23C072E4AFF49C67C3121DD5AF
                                                                                            SHA-256:05174BBF0D407087E45B12BAAE17117426852FF3A9E58D12A0EBB9A10B409743
                                                                                            SHA-512:E6B93215582F7F4F5E9292273A9466B5D0CC3A4EA7D77AE42854203755441DD5EDBEFB11FE8890CAE7783E41E2EDBF61EC7B03D7E5E9870A7821D4016B095F79
                                                                                            Malicious:false
                                                                                            Preview:....

                                                                                            C:\Users\user\AppData\Local\Temp\1cb03fcc-01c5-49a2-8c3b-6ff0a32ce8da.png

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:MS Windows icon resource - 18 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                            Category:dropped
                                                                                            Size (bytes):155778
                                                                                            Entropy (8bit):4.365683553659457
                                                                                            Encrypted:false
                                                                                            SSDEEP:768:Dg7Z3gHhMIW7F3TGUhxkZ1OgbC6kStqJ1L3mC3g9BQ0MRB3R9HwXOs:07Z32hLWNTJhxiQACPStqzZw9ep3Re
                                                                                            MD5:DA622BAB6EC1BE707C3851DA2AA8F7F3
                                                                                            SHA1:3D4F86D9519F103AFAF15A4C100527CAF857E749
                                                                                            SHA-256:AE983158B0308793900A0F2D8EBE33C6D9CC2C83BDFF94D2E8E4D8931093C1EB
                                                                                            SHA-512:4C5E6EBD200D533B7B951E00A485D90CF6CE38D0E42381F9DD648F9F2143EAABF72B1ABE2BD5628F655A68EAED3E123D12DC71EAD9F696EF4E2877B6156C4711
                                                                                            Malicious:false
                                                                                            Preview:...... ..........&...........(.......@@......(...6...00..........^... ...........*..........h....2........ .$5...8..``.... .....:m..PP.... ..g......HH.... ..T...i..@@.... .(B..R...<<.... .H:..z...00.... ..%...:..((.... .h...j`.. .... ......z........ .....z......... ............... .h.......(... ...@....................................................................................................................................................................................................................................DDD|...||x...||||||H...............L...|||..|||.|||H...............L...|||..|||.|||H...............L...|||..|||.|||H...............L...|||..|||.|||H...............L........|.....|@.............L...||x..|||||||H..................|||.............................||x..........................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\CleanUp.dll

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\TMSSetup.exe
                                                                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):4316160
                                                                                            Entropy (8bit):6.423846533625978
                                                                                            Encrypted:false
                                                                                            SSDEEP:49152:1CNN2ZP7W3+VKakLhvP6dksTUmlpdSpZjqKvpXaMXjUeAWacpyGqyzohPdU8lPQ5:1CNgW3+MLIndoQLW7pyPPfU
                                                                                            MD5:7121D0E9FDD9FA23ACFEA6B4939C2A65
                                                                                            SHA1:DE691AA96F28C9DA2179D8D683CB5F6C50528900
                                                                                            SHA-256:82B246D8E6FFBA1ABAFFBD386470C45CEF8383AD19394C7C0622C9E62128CB94
                                                                                            SHA-512:693D00410181FB47E1006C9AF763579C55154106F3571F11619D00F93BBD0A42E6405C4B242735A2DC9D6A82180FBA70FE8F1B1D53F227546176A9B816F10FDF
                                                                                            Malicious:false
                                                                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$......../o..N...N...N..6...N..6..%N..6...N..#....N..#....N..#...N...N...N......M..6...N...N...N.......N.......N.......N.......N..Rich.N..........................PE..L....2Wf...........!...'..)...........&.......)..............................`B...........@.........................P.3.D....PB.......4.._...................P@......D3.p...................@E3......C3.@.............).l............................text.....).......)................. ..`.rdata..P.....)..0....).............@....data.........4.......3.............@....rsrc...._....4..`...z4.............@..@.reloc..&....P@.......?.............@.......................................LGFEyaWCkJw4zr8qYsKhfQ6DpNRj5nAHg37TvP2BdXmMSbZxVe..................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe

                                                                                            Download File
                                                                                            Process:C:\Users\user\Desktop\TMSSetup.exe
                                                                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                            Category:dropped
                                                                                            Size (bytes):1447792
                                                                                            Entropy (8bit):7.574974695457159
                                                                                            Encrypted:false
                                                                                            SSDEEP:24576:B9Yu8GgnSf7uw7O8qGVniQjY2nyZlEe+NB4HNoP8Bw/F3cjtBxVTNbpM7Z3afU:AGMo7NPVFjY2nyZSNB4t48sUjbpcZ3t
                                                                                            MD5:CF0E0F57B68A11D099EC944200A6069D
                                                                                            SHA1:1DDC31265D8DDDBA4F82FE34A66A1BC4000F93AD
                                                                                            SHA-256:73354811E3109E265821124A18B1B7D9FD3DD1207BB46C18937D250C6AB46DEC
                                                                                            SHA-512:D0F7CC46F8C1FFFEE67528C57A91A693B574386BB86EC85C8FE0684FC305A6A5121965DF4470950E36D2E1025C6EF435C58534D1885AD0C7CFB07759B2EE5C0B
                                                                                            Malicious:true
                                                                                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......M.],..3...3...3..O....3..O....3..O....3.[.0~..3.[.6~N.3.[.7~*.3..,....3..,....3..,....3...2...3...:~..3.......3......3...1~..3.Rich..3.................PE..L....T.e.................H...~.......E.......`....@.................................,.....@.............................................................pM......P1...u..p....................v.......v..@............`...............................text...*F.......H.................. ..`.rdata..hZ...`...\...L..............@..@.data....&..........................@....rsrc...............................@..@.reloc..P1.......2..................@..B................................................................................................................................................................................................................................................................................

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Teams\404c9e8e-7e15-4364-a653-cf72a04bec98.tmp

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):389
                                                                                            Entropy (8bit):5.602157612801083
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:YKWSg99rrt+Js/+iqb6zMvSprMnzYFtpvMoG7t9yA0Y:YKWfrrt/5FzZprIEtOo29Th
                                                                                            MD5:C65B7BE68A1BD1295A818418E9D9F7CF
                                                                                            SHA1:8E871FE85B4EFD51EF83E83BDF198C1E8BA4D9E9
                                                                                            SHA-256:D99A699C3D33744AA430FECAB33A325BCD5615F303B2F2C9048D4FB9ED06084F
                                                                                            SHA-512:68279113BA4758ED9131A78F3DBE1860D81DECD816DE64336185321C394C51253D839A258075E84DCF9B0E9294934FF08CB8322748CC2134BE378181938E62CC
                                                                                            Malicious:false
                                                                                            Preview:{"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAcOyeABppwTJSapJHrZicIAAAAAAIAAAAAABBmAAAAAQAAIAAAAPmRuwwcdmTFr7fFDaKDXyFg3vXhH2K38Y35RpwSUEpyAAAAAA6AAAAAAgAAIAAAAOfDNZaM/bCCjezUwzCzDA/dEjL7zdxdRims+z+i0ZIEMAAAABpJiQ7OJ6lno4ScVBar6INfaax9INgOLPhJXIFNlDjg68lop5LGLRL/omOHMKPZr0AAAAAH72bwXhx47SEIJ6Dl0Hrw4Lya2LVatsXaPWUQFUxy1G2PkjyWLzRbz6qjfj+zhLcirIO+aCUS4nJstU233i5j"}}

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Teams\Local State (copy)

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):389
                                                                                            Entropy (8bit):5.602157612801083
                                                                                            Encrypted:false
                                                                                            SSDEEP:12:YKWSg99rrt+Js/+iqb6zMvSprMnzYFtpvMoG7t9yA0Y:YKWfrrt/5FzZprIEtOo29Th
                                                                                            MD5:C65B7BE68A1BD1295A818418E9D9F7CF
                                                                                            SHA1:8E871FE85B4EFD51EF83E83BDF198C1E8BA4D9E9
                                                                                            SHA-256:D99A699C3D33744AA430FECAB33A325BCD5615F303B2F2C9048D4FB9ED06084F
                                                                                            SHA-512:68279113BA4758ED9131A78F3DBE1860D81DECD816DE64336185321C394C51253D839A258075E84DCF9B0E9294934FF08CB8322748CC2134BE378181938E62CC
                                                                                            Malicious:false
                                                                                            Preview:{"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAAAcOyeABppwTJSapJHrZicIAAAAAAIAAAAAABBmAAAAAQAAIAAAAPmRuwwcdmTFr7fFDaKDXyFg3vXhH2K38Y35RpwSUEpyAAAAAA6AAAAAAgAAIAAAAOfDNZaM/bCCjezUwzCzDA/dEjL7zdxdRims+z+i0ZIEMAAAABpJiQ7OJ6lno4ScVBar6INfaax9INgOLPhJXIFNlDjg68lop5LGLRL/omOHMKPZr0AAAAAH72bwXhx47SEIJ6Dl0Hrw4Lya2LVatsXaPWUQFUxy1G2PkjyWLzRbz6qjfj+zhLcirIO+aCUS4nJstU233i5j"}}

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Teams\SquirrelTelemetry.log

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:ASCII text, with very long lines (1118), with CRLF line terminators
                                                                                            Category:dropped
                                                                                            Size (bytes):17923
                                                                                            Entropy (8bit):5.217633046724584
                                                                                            Encrypted:false
                                                                                            SSDEEP:192:Z8fmi8+mY8bmHrBymq98EmummVmVDmOxmnUm1bmlnWmL5mG6myFmF2m7pmqYmrtp:G8jn6KE2x01p1zDj
                                                                                            MD5:E688E62387F77B8AA5D9E9B5180D8911
                                                                                            SHA1:BB0A78001213FA6F0AE19E7BB0BC094EACB62D24
                                                                                            SHA-256:2FCB37288A357D52C10095446CE4ED301211E77308D72F29D7BBE2C81A889241
                                                                                            SHA-512:8124707248BE7D0823589879BF31BC93854DBBF574BC726D0CCE79A4D04D74DF3D90D3203AF9D9ECA82D984DB7FA92121F5BED4B965C0854BC5A6376186A4B4C
                                                                                            Malicious:false
                                                                                            Preview:19/06/2024 19:27:50> DownloadUrlRetry: 0, endpointUrl: https://statics.teams.cdn.office.net/production-windows-x64/1.7.00.15969/RELEASES.exe, Scenario.Status: success, scenario: 324938e1-e08a-4f26-99f7-75c60ac98610, Scenario.Name: desktop_squirrel_stubinstall, Scenario.Step: download_file_start, sequence: 3, appversion: , platformId: 27, DeviceInfo.OsName: Windows, DeviceInfo.CpuArchitecture: x64, DeviceInfo.OsVersion: 10.0.19045.0, AppInfo.ProcessArchitecture: x86, AppInfo.ClientType: desktop, dllSearchPathState: unset, clientType: desktop, source: exe, distSrc: default, breadcrumb: dud;t1ib;gpcpc;inc;ejfpd;ums;ap;cuh;, SignedPackages: enabled, desktopSession: desktop-5eb416e7-7bb1-4f33-9fd7-1ef82dbec21e, installSessionId: 7047b41722ffa36cf03c83fca7806602a3d47edff6d2dcb4597c03cd6d34c150, delta: 179071, scenarioDelta: 179071, elapsed: 1718839670964, stepDelta: 14167, DeviceInfo.ComputerUuid: 71434d561548ed3daee6c75aecd93bf0, DeviceInfo.OfficeMachineId: b2df2e355e3c024991f286e19a95b9c3,

                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Teams\teams_install_session.json

                                                                                            Download File
                                                                                            Process:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            File Type:JSON data
                                                                                            Category:dropped
                                                                                            Size (bytes):105
                                                                                            Entropy (8bit):4.735934952583092
                                                                                            Encrypted:false
                                                                                            SSDEEP:3:YTyLSMfTQgNScHGWSeGz1+W68WVjn:YWLSeTQgDHHGz1+h8M
                                                                                            MD5:B74CF6C00AED27ED4E12C10724191C91
                                                                                            SHA1:5865F73879AA7566B653B1B1033FE332334702EE
                                                                                            SHA-256:6E46F37E9A8F33F6139EB36644037955043F26E3BD7A61173A5B83C233562D52
                                                                                            SHA-512:A8A6A5380E23E194C89F23903ED138DE75780EB41BA5CBB083C80579061933AB075667324A3E0FE8FB189E86AD2DC3FC169F6736369C38453A8A55D68C62612B
                                                                                            Malicious:false
                                                                                            Preview:{"version":"1.0","installSessionId":"7047b41722ffa36cf03c83fca7806602a3d47edff6d2dcb4597c03cd6d34c150"}..

                                                                                            Static File Info

                                                                                            General

                                                                                            File type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                            Entropy (8bit):6.924579112071648
                                                                                            TrID:
                                                                                            • Win64 Executable GUI (202006/5) 92.65%
                                                                                            • Win64 Executable (generic) (12005/4) 5.51%
                                                                                            • Generic Win/DOS Executable (2004/3) 0.92%
                                                                                            • DOS Executable Generic (2002/1) 0.92%
                                                                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                            File name:TMSSetup.exe
                                                                                            File size:7'692'344 bytes
                                                                                            MD5:e0efcd15daaa87d864f56c803156ae43
                                                                                            SHA1:5327dd70591fd8687b5514c44c3604d1728f909e
                                                                                            SHA256:9601f3921c2cd270b6da0ba265c06bae94fd7d4dc512e8cb82718eaa24accc43
                                                                                            SHA512:d2fd47faeda11445fe247a2e5ae4c6149ecee9a64d585712bf283e38a0c1f25ae9a0eaf86e41e0f5aa665588959219523c23da2c30269307f2aef302df7c51ce
                                                                                            SSDEEP:98304:flyRuief75kCNgW3+MLIndoQLW7pyPPfUZMoHFY2yZSg4RYY0yO:f4Ruief6+3FsHfC6R4RAx
                                                                                            TLSH:0D76C046A7418061DCCE0374916B9BBD5E395D9447308FD35F90B9EEAA32DC2263B3B8
                                                                                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........D[...[...[.......]...............Q.......J.......R.......c.......R...[...........V.....g.Z...[...Z.......Z...Rich[..........

                                                                                            File Icon

                                                                                            Icon Hash:4c4f64e46464070e

                                                                                            Static PE Info

                                                                                            General

                                                                                            Entrypoint:0x1400177c0
                                                                                            Entrypoint Section:.text
                                                                                            Digitally signed:true
                                                                                            Imagebase:0x140000000
                                                                                            Subsystem:windows gui
                                                                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                            DLL Characteristics:HIGH_ENTROPY_VA
                                                                                            Time Stamp:0x65E95C7C [Thu Mar 7 06:19:40 2024 UTC]
                                                                                            TLS Callbacks:
                                                                                            CLR (.Net) Version:
                                                                                            OS Version Major:6
                                                                                            OS Version Minor:0
                                                                                            File Version Major:6
                                                                                            File Version Minor:0
                                                                                            Subsystem Version Major:6
                                                                                            Subsystem Version Minor:0
                                                                                            Import Hash:94580cea63b75c7571249756243fa337

                                                                                            Authenticode Signature

                                                                                            Signature Valid:false
                                                                                            Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                                                                                            Signature Validation Error:A certificate was explicitly revoked by its issuer
                                                                                            Error Number:-2146762484
                                                                                            Not Before, Not After
                                                                                            • 26/05/2024 19:54:31 24/05/2025 19:23:48
                                                                                            Subject Chain
                                                                                            • OID.1.3.6.1.4.1.311.60.2.1.3=CN, OID.2.5.4.15=Private Organization, CN="Shanghai Ruikang Decoration Co., Ltd.", SERIALNUMBER=91310114749267858B, O="Shanghai Ruikang Decoration Co., Ltd.", L=Shanghai, C=CN
                                                                                            Version:3
                                                                                            Thumbprint MD5:39DE96150BEE920AF2067F2F0F37880D
                                                                                            Thumbprint SHA-1:F24176D503AB72694E5133CA701A4982C62A6D03
                                                                                            Thumbprint SHA-256:DD14F0B75017F5FAF5C7C860E1D79395DAADB296A08E131901C33EC1BFEC204E
                                                                                            Serial:0A072922082661B3E22477B0C768608A

                                                                                            Entrypoint Preview

                                                                                            Instruction
                                                                                            dec eax
                                                                                            sub esp, 28h
                                                                                            call 00007F92FD6EE180h
                                                                                            dec eax
                                                                                            add esp, 28h
                                                                                            jmp 00007F92FD6EDABFh
                                                                                            int3
                                                                                            int3
                                                                                            dec eax
                                                                                            sub esp, 28h
                                                                                            dec ebp
                                                                                            mov eax, dword ptr [ecx+38h]
                                                                                            dec eax
                                                                                            mov ecx, edx
                                                                                            dec ecx
                                                                                            mov edx, ecx
                                                                                            call 00007F92FD6EDC52h
                                                                                            mov eax, 00000001h
                                                                                            dec eax
                                                                                            add esp, 28h
                                                                                            ret
                                                                                            int3
                                                                                            int3
                                                                                            int3
                                                                                            inc eax
                                                                                            push ebx
                                                                                            inc ebp
                                                                                            mov ebx, dword ptr [eax]
                                                                                            dec eax
                                                                                            mov ebx, edx
                                                                                            inc ecx
                                                                                            and ebx, FFFFFFF8h
                                                                                            dec esp
                                                                                            mov ecx, ecx
                                                                                            inc ecx
                                                                                            test byte ptr [eax], 00000004h
                                                                                            dec esp
                                                                                            mov edx, ecx
                                                                                            je 00007F92FD6EDC55h
                                                                                            inc ecx
                                                                                            mov eax, dword ptr [eax+08h]
                                                                                            dec ebp
                                                                                            arpl word ptr [eax+04h], dx
                                                                                            neg eax
                                                                                            dec esp
                                                                                            add edx, ecx
                                                                                            dec eax
                                                                                            arpl ax, cx
                                                                                            dec esp
                                                                                            and edx, ecx
                                                                                            dec ecx
                                                                                            arpl bx, ax
                                                                                            dec edx
                                                                                            mov edx, dword ptr [eax+edx]
                                                                                            dec eax
                                                                                            mov eax, dword ptr [ebx+10h]
                                                                                            mov ecx, dword ptr [eax+08h]
                                                                                            dec eax
                                                                                            mov eax, dword ptr [ebx+08h]
                                                                                            test byte ptr [ecx+eax+03h], 0000000Fh
                                                                                            je 00007F92FD6EDC4Dh
                                                                                            movzx eax, byte ptr [ecx+eax+03h]
                                                                                            and eax, FFFFFFF0h
                                                                                            dec esp
                                                                                            add ecx, eax
                                                                                            dec esp
                                                                                            xor ecx, edx
                                                                                            dec ecx
                                                                                            mov ecx, ecx
                                                                                            pop ebx
                                                                                            jmp 00007F92FD6ED166h
                                                                                            int3
                                                                                            dec eax
                                                                                            mov eax, esp
                                                                                            dec eax
                                                                                            mov dword ptr [eax+08h], ebx
                                                                                            dec eax
                                                                                            mov dword ptr [eax+10h], ebp
                                                                                            dec eax
                                                                                            mov dword ptr [eax+18h], esi
                                                                                            dec eax
                                                                                            mov dword ptr [eax+20h], edi
                                                                                            inc ecx
                                                                                            push esi
                                                                                            dec eax
                                                                                            sub esp, 20h
                                                                                            dec ecx
                                                                                            mov ebx, dword ptr [ecx+38h]
                                                                                            dec eax
                                                                                            mov esi, edx
                                                                                            dec ebp
                                                                                            mov esi, eax
                                                                                            dec eax
                                                                                            mov ebp, ecx
                                                                                            dec ecx
                                                                                            mov edx, ecx
                                                                                            dec eax
                                                                                            mov ecx, esi
                                                                                            dec ecx
                                                                                            mov edi, ecx
                                                                                            dec esp
                                                                                            lea eax, dword ptr [ebx+04h]
                                                                                            call 00007F92FD6EDBB1h

                                                                                            Data Directories

                                                                                            NameVirtual AddressVirtual Size Is in Section
                                                                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1924700x64.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2030000x5a9d35.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1ff0000x2328.pdata
                                                                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x753a000x2638.rsrc
                                                                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x7ad0000x988.reloc
                                                                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x189e400x8c.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_TLS0x18a0800x28.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x189ed00x138.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_IAT0x3b0000x3a8.rdata
                                                                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                            Sections

                                                                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                            .text0x10000x392cc0x39400ece9e148bd579333220d9c00e313ef19False0.4937824099344978data6.358495211290681IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                            .rdata0x3b0000x1580fe0x158200a03e8e943ed3f9ed8d21983a2bcd8fbcFalse0.7707763405830004data6.962218631244671IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .data0x1940000x6adc40x14005cabc4868242b87e52321815f3592d22False0.1779296875data3.1311747454897714IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                            .pdata0x1ff0000x23280x24005a8f82d7330ea3ac27cfb2421b837d15False0.4768880208333333data5.5429601793997385IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            _RDATA0x2020000xf40x20062f9c30ae480d3b51fbad891ed0dc49fFalse0.306640625data2.4575593112849665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .rsrc0x2030000x5a9d350x5a9e005cca99fccfbff4aef13fa3c8b9294423unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                            .reloc0x7ad0000x9880xa004dff63d6210d48c6e6b47d84d1dfd2efFalse0.53046875data5.347352425820936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                            e^u>z^0x7ae0000x140000x13e00573afed91088417b6cf9f87b81a0a286False0.7014298349056604data7.422536272111443IMAGE_SCN_MEM_READ

                                                                                            Resources

                                                                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                            RT_ICON0x2034f40x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.3064516129032258
                                                                                            RT_ICON0x2037dc0x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.48986486486486486
                                                                                            RT_ICON0x2039040x1628Device independent bitmap graphic, 64 x 128 x 8, image size 4096, 256 important colorsEnglishUnited States0.24876586741889986
                                                                                            RT_ICON0x204f2c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.298773987206823
                                                                                            RT_ICON0x205dd40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.1565884476534296
                                                                                            RT_ICON0x20667c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.16329479768786126
                                                                                            RT_ICON0x206be40x3524PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9886062922669803
                                                                                            RT_ICON0x20a1080x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.10857683413916334
                                                                                            RT_ICON0x2135b00x67e8Device independent bitmap graphic, 80 x 160 x 32, image size 26560EnglishUnited States0.11736842105263158
                                                                                            RT_ICON0x219d980x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.1307301293900185
                                                                                            RT_ICON0x21f2200x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.1379900803023146
                                                                                            RT_ICON0x2234480x3a48Device independent bitmap graphic, 60 x 120 x 32, image size 14880EnglishUnited States0.14711796246648792
                                                                                            RT_ICON0x226e900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.18443983402489628
                                                                                            RT_ICON0x2294380x1a68Device independent bitmap graphic, 40 x 80 x 32, image size 6720EnglishUnited States0.20310650887573964
                                                                                            RT_ICON0x22aea00x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.08864915572232646
                                                                                            RT_ICON0x22bf480x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.125
                                                                                            RT_ICON0x22c8d00x6b8Device independent bitmap graphic, 20 x 40 x 32, image size 1680EnglishUnited States0.13895348837209304
                                                                                            RT_ICON0x22cf880x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.17819148936170212
                                                                                            RT_RCDATA0x22d3f00x41dc00PE32 executable (DLL) (GUI) Intel 80386, for MS Windows0.5490169525146484
                                                                                            RT_RCDATA0x64aff00x161770PE32 executable (GUI) Intel 80386, for MS Windows0.8554420471191406
                                                                                            RT_GROUP_ICON0x7ac7600x102dataEnglishUnited States0.6317829457364341
                                                                                            RT_VERSION0x7ac8640x354dataEnglishUnited States0.4448356807511737
                                                                                            RT_MANIFEST0x7acbb80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                            Imports

                                                                                            DLLImport
                                                                                            KERNEL32.dllDeleteCriticalSection, GetLongPathNameW, GetModuleFileNameW, WideCharToMultiByte, GetPrivateProfileIntW, GetPrivateProfileStringW, OutputDebugStringW, FreeLibrary, LoadLibraryExW, GetCommandLineW, LocalFree, MultiByteToWideChar, WriteFile, CreateFileW, CloseHandle, OutputDebugStringA, LocalAlloc, LoadLibraryA, SizeofResource, HeapFree, InitializeCriticalSection, CreateMutexW, InitializeCriticalSectionEx, ReleaseMutex, HeapSize, LockResource, HeapReAlloc, RaiseException, FindResourceExW, LoadResource, FindResourceW, HeapAlloc, GetCurrentDirectoryW, HeapDestroy, SetCurrentDirectoryW, GetWindowsDirectoryW, GetProcessHeap, CopyFileW, OpenMutexW, WriteConsoleW, FlushFileBuffers, GetStringTypeW, FreeEnvironmentStringsW, GetEnvironmentStringsW, LeaveCriticalSection, EnterCriticalSection, GetModuleHandleW, VerSetConditionMask, IsProcessorFeaturePresent, GetProcAddress, GetLastError, GetFullPathNameW, GetVersionExW, GetCommandLineA, GetCPInfo, GetOEMCP, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryEnterCriticalSection, GetCurrentThreadId, QueryPerformanceCounter, FlsAlloc, FlsGetValue, FlsSetValue, FlsFree, GetSystemTimeAsFileTime, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, CreateEventW, IsDebuggerPresent, GetStartupInfoW, GetCurrentProcessId, InitializeSListHead, RtlUnwindEx, RtlPcToFileHeader, SetLastError, EncodePointer, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetConsoleMode, GetFileType, GetFileAttributesExW, ExitProcess, GetModuleHandleExW, GetStdHandle, SetStdHandle, SetFilePointerEx, GetConsoleOutputCP, LCMapStringW, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP
                                                                                            USER32.dllGetSystemMetrics
                                                                                            ADVAPI32.dllRegSetValueExW, RegCloseKey, RegOpenKeyExW, RegQueryValueExW, RegCreateKeyExW
                                                                                            SHELL32.dllCommandLineToArgvW

                                                                                            Possible Origin

                                                                                            Language of compilation systemCountry where language is spokenMap
                                                                                            EnglishUnited States

                                                                                            Network Behavior

                                                                                            Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                            Statistics

                                                                                            CPU Usage

                                                                                            Click to jump to process

                                                                                            Memory Usage

                                                                                            Click to jump to process

                                                                                            High Level Behavior Distribution

                                                                                            Click to dive into process behavior distribution

                                                                                            Behavior

                                                                                            Click to jump to process

                                                                                            System Behavior

                                                                                            General

                                                                                            Target ID:0
                                                                                            Start time:19:23:59
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Users\user\Desktop\TMSSetup.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\Desktop\TMSSetup.exe"
                                                                                            Imagebase:0x140000000
                                                                                            File size:7'692'344 bytes
                                                                                            MD5 hash:E0EFCD15DAAA87D864F56C803156AE43
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:1
                                                                                            Start time:19:24:00
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Windows\System32\rundll32.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\CleanUp.dll", Test
                                                                                            Imagebase:0x7ff6aeae0000
                                                                                            File size:71'680 bytes
                                                                                            MD5 hash:EF3179D498793BF4234F708D3BE28633
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:2
                                                                                            Start time:19:24:00
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\System32\rundll32.exe" "C:\Users\user\AppData\Local\Temp\CleanUp.dll", Test
                                                                                            Imagebase:0xd20000
                                                                                            File size:61'440 bytes
                                                                                            MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:3
                                                                                            Start time:19:24:01
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe"
                                                                                            Imagebase:0x2f0000
                                                                                            File size:1'447'792 bytes
                                                                                            MD5 hash:CF0E0F57B68A11D099EC944200A6069D
                                                                                            Has elevated privileges:true
                                                                                            Has administrator privileges:true
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:4
                                                                                            Start time:19:24:01
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe" --rerunningWithoutUAC
                                                                                            Imagebase:0x2f0000
                                                                                            File size:1'447'792 bytes
                                                                                            MD5 hash:CF0E0F57B68A11D099EC944200A6069D
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:5
                                                                                            Start time:19:24:02
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Local\SquirrelTemp\Update.exe" --install . --rerunningWithoutUAC --exeName=MSTeamsSetup_c_l_.exe --bootstrapperMode
                                                                                            Imagebase:0xbb0000
                                                                                            File size:2'587'536 bytes
                                                                                            MD5 hash:8F0E958D7EF57D727ADCDA1C67C24C2B
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\SquirrelTemp\Update.exe, Author: Joe Security
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:10
                                                                                            Start time:19:26:09
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe" --updateSelf=C:\Users\user\AppData\Local\SquirrelTemp\Update.exe
                                                                                            Imagebase:0x820000
                                                                                            File size:2'593'968 bytes
                                                                                            MD5 hash:17927E3240D3B0212A4B93C1D45F92B0
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Yara matches:
                                                                                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Microsoft\Teams\current\Squirrel.exe, Author: Joe Security
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:11
                                                                                            Start time:19:26:10
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-install 1.7.00.15969
                                                                                            Imagebase:0x7ff7a58b0000
                                                                                            File size:149'481'432 bytes
                                                                                            MD5 hash:E20A8E5630CFCAD496816E211D212EAC
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:12
                                                                                            Start time:19:26:14
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --squirrel-firstrun
                                                                                            Imagebase:0x7ff7a58b0000
                                                                                            File size:149'481'432 bytes
                                                                                            MD5 hash:E20A8E5630CFCAD496816E211D212EAC
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:14
                                                                                            Start time:19:26:17
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\system32\regsvr32.exe" /s /n /i:user "C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll"
                                                                                            Imagebase:0x1a0000
                                                                                            File size:20'992 bytes
                                                                                            MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:15
                                                                                            Start time:19:26:17
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Windows\System32\regsvr32.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline: /s /n /i:user "C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x64\Microsoft.Teams.AddinLoader.dll"
                                                                                            Imagebase:0x7ff6f6d20000
                                                                                            File size:25'088 bytes
                                                                                            MD5 hash:B0C2FA35D14A9FAD919E99D9D75E1B9E
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:16
                                                                                            Start time:19:26:18
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Windows\SysWOW64\regsvr32.exe
                                                                                            Wow64 process (32bit):true
                                                                                            Commandline:"C:\Windows\SysWOW64\regsvr32.exe" /s /n /i:user "C:\Users\user\AppData\Local\Microsoft\TeamsMeetingAddin\1.0.24151.1\x86\Microsoft.Teams.AddinLoader.dll"
                                                                                            Imagebase:0x1a0000
                                                                                            File size:20'992 bytes
                                                                                            MD5 hash:878E47C8656E53AE8A8A21E927C6F7E0
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:high
                                                                                            Has exited:true

                                                                                            General

                                                                                            Target ID:17
                                                                                            Start time:19:26:21
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\Microsoft\Teams" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
                                                                                            Imagebase:0x7ff7a58b0000
                                                                                            File size:149'481'432 bytes
                                                                                            MD5 hash:E20A8E5630CFCAD496816E211D212EAC
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:false

                                                                                            General

                                                                                            Target ID:18
                                                                                            Start time:19:26:26
                                                                                            Start date:19/06/2024
                                                                                            Path:C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe
                                                                                            Wow64 process (32bit):false
                                                                                            Commandline:"C:\Users\user\AppData\Local\Microsoft\Teams\current\Teams.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\Microsoft\Teams" --mojo-platform-channel-handle=2156 --field-trial-handle=1900,i,4323511078249520092,10172259398585920276,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
                                                                                            Imagebase:0x7ff7a58b0000
                                                                                            File size:149'481'432 bytes
                                                                                            MD5 hash:E20A8E5630CFCAD496816E211D212EAC
                                                                                            Has elevated privileges:false
                                                                                            Has administrator privileges:false
                                                                                            Programmed in:C, C++ or other language
                                                                                            Reputation:low
                                                                                            Has exited:false

                                                                                            Disassembly

                                                                                            Reset < >

                                                                                              Execution Graph

                                                                                              Execution Coverage:1.8%
                                                                                              Dynamic/Decrypted Code Coverage:99.7%
                                                                                              Signature Coverage:14.8%
                                                                                              Total number of Nodes:1275
                                                                                              Total number of Limit Nodes:1
                                                                                              execution_graph 5254 5f515c 5261 5f71c8 5254->5261 5256 5f5165 5257 5f5173 5256->5257 5266 5f72bc 5256->5266 5259 5f2a68 free 5 API calls 5257->5259 5260 5f517f 5259->5260 5262 5f71d4 5261->5262 5263 5f728d 5262->5263 5265 5f7100 49 API calls _fflush_nolock 5262->5265 5272 5f5278 5262->5272 5263->5256 5265->5262 5270 5f72d5 5266->5270 5267 5f7348 5267->5257 5268 5f7313 DeleteCriticalSection 5271 5f2a68 free 5 API calls 5268->5271 5270->5267 5270->5268 5275 5f7fe0 5270->5275 5271->5270 5273 5f527d 5272->5273 5274 5f528a LeaveCriticalSection 5272->5274 5273->5274 5276 5f8015 5275->5276 5277 5f8001 5275->5277 5278 5f8011 5276->5278 5287 5f518c 5276->5287 5279 5f4a68 _errno 5 API calls 5277->5279 5278->5270 5281 5f8006 5279->5281 5282 5f46b8 _invalid_parameter_noinfo 8 API calls 5281->5282 5282->5278 5283 5f8026 5291 5f7f64 5283->5291 5288 5f51e1 EnterCriticalSection 5287->5288 5289 5f51a1 5287->5289 5289->5288 5290 5f51ad 5289->5290 5290->5283 5292 5f7f8d 5291->5292 5293 5f7f79 5291->5293 5295 5f7f89 5292->5295 5310 5f714c 5292->5310 5294 5f4a68 _errno 5 API calls 5293->5294 5296 5f7f7e 5294->5296 5307 5f5228 5295->5307 5298 5f46b8 _invalid_parameter_noinfo 8 API calls 5296->5298 5298->5295 5306 5f2a68 free 5 API calls 5306->5295 5308 5f526b LeaveCriticalSection 5307->5308 5309 5f5234 5307->5309 5309->5308 5311 5f7169 5310->5311 5312 5f718e 5310->5312 5311->5312 5313 5f7078 _fileno 13 API calls 5311->5313 5316 5f8764 5312->5316 5314 5f7180 5313->5314 5348 5f768c 5314->5348 5317 5f7fa2 5316->5317 5318 5f8773 5316->5318 5320 5f7078 5317->5320 5318->5317 5319 5f2a68 free 5 API calls 5318->5319 5319->5317 5321 5f7081 5320->5321 5325 5f7091 5320->5325 5322 5f4a68 _errno 5 API calls 5321->5322 5323 5f7086 5322->5323 5324 5f46b8 _invalid_parameter_noinfo 8 API calls 5323->5324 5324->5325 5326 5f85e4 5325->5326 5327 5f85fd 5326->5327 5328 5f8615 5326->5328 5329 5f49f8 __doserrno 5 API calls 5327->5329 5330 5f867e 5328->5330 5333 5f8647 5328->5333 5331 5f8602 5329->5331 5332 5f49f8 __doserrno 5 API calls 5330->5332 5334 5f4a68 _errno 5 API calls 5331->5334 5335 5f8683 5332->5335 5336 5f8128 __lock_fhandle InitializeCriticalSectionAndSpinCount 5333->5336 5337 5f7fb1 5334->5337 5338 5f4a68 _errno 5 API calls 5335->5338 5340 5f864e 5336->5340 5337->5295 5337->5306 5339 5f868b 5338->5339 5341 5f46b8 _invalid_parameter_noinfo 8 API calls 5339->5341 5342 5f865a 5340->5342 5343 5f8665 5340->5343 5341->5337 5454 5f86a8 5342->5454 5345 5f4a68 _errno 5 API calls 5343->5345 5346 5f8661 5345->5346 5468 5f82e0 LeaveCriticalSection 5346->5468 5349 5f76af 5348->5349 5351 5f76c7 5348->5351 5372 5f49f8 5349->5372 5352 5f7740 5351->5352 5356 5f76fa 5351->5356 5354 5f49f8 __doserrno 5 API calls 5352->5354 5357 5f7745 5354->5357 5355 5f4a68 _errno 5 API calls 5371 5f76bc 5355->5371 5375 5f8128 5356->5375 5359 5f4a68 _errno 5 API calls 5357->5359 5361 5f774d 5359->5361 5360 5f7701 5362 5f771f 5360->5362 5363 5f770e 5360->5363 5364 5f46b8 _invalid_parameter_noinfo 8 API calls 5361->5364 5366 5f4a68 _errno 5 API calls 5362->5366 5379 5f7770 5363->5379 5364->5371 5368 5f7724 5366->5368 5367 5f771b 5416 5f82e0 LeaveCriticalSection 5367->5416 5369 5f49f8 __doserrno 5 API calls 5368->5369 5369->5367 5371->5312 5373 5f1ba4 _getptd_noexit 5 API calls 5372->5373 5374 5f4a01 5373->5374 5374->5355 5376 5f8160 5375->5376 5378 5f8186 __lock_fhandle 5375->5378 5377 5f2d9c _ioinit InitializeCriticalSectionAndSpinCount 5376->5377 5376->5378 5377->5378 5378->5360 5380 5f7792 __crtGetStringTypeA_stat 5379->5380 5381 5f77c2 5380->5381 5382 5f77ee 5380->5382 5383 5f77ce 5380->5383 5385 5f1430 _NMSG_WRITE 3 API calls 5381->5385 5386 5f783c 5382->5386 5389 5f7831 5382->5389 5384 5f49f8 __doserrno 5 API calls 5383->5384 5387 5f77d3 5384->5387 5388 5f7f46 5385->5388 5390 5f7851 5386->5390 5417 5f8398 5386->5417 5395 5f4a68 _errno 5 API calls 5387->5395 5388->5367 5392 5f49f8 __doserrno 5 API calls 5389->5392 5426 5f70a0 5390->5426 5392->5387 5396 5f77db 5395->5396 5397 5f46b8 _invalid_parameter_noinfo 8 API calls 5396->5397 5397->5381 5398 5f1b80 _getptd 38 API calls 5399 5f7881 GetConsoleMode 5398->5399 5400 5f78c1 5399->5400 5413 5f7b1c _NMSG_WRITE __crtMessageBoxW 5399->5413 5402 5f78d0 GetConsoleCP 5400->5402 5400->5413 5401 5f7ef5 5401->5381 5403 5f4a68 _errno 5 API calls 5401->5403 5402->5401 5415 5f78f4 _NMSG_WRITE _write_nolock 5402->5415 5404 5f7f21 5403->5404 5406 5f49f8 __doserrno 5 API calls 5404->5406 5405 5f7de2 WideCharToMultiByte 5405->5413 5406->5381 5408 5f8588 WriteConsoleW CreateFileW _putwch_nolock 5408->5415 5409 5f79a6 WideCharToMultiByte 5409->5413 5409->5415 5410 5f7eee 5437 5f4a18 5410->5437 5411 5f4a68 _errno 5 API calls 5411->5413 5413->5381 5413->5401 5413->5405 5413->5410 5413->5411 5414 5f49f8 __doserrno 5 API calls 5413->5414 5414->5413 5415->5408 5415->5409 5415->5413 5434 5f8350 5415->5434 5442 5f826c 5417->5442 5420 5f83ce SetFilePointerEx 5423 5f83c2 5420->5423 5424 5f83e6 __crtMessageBoxW 5420->5424 5421 5f83bd 5422 5f4a68 _errno 5 API calls 5421->5422 5422->5423 5423->5390 5425 5f4a18 _dosmaperr 5 API calls 5424->5425 5425->5423 5427 5f70a9 5426->5427 5428 5f70b6 5426->5428 5429 5f4a68 _errno 5 API calls 5427->5429 5430 5f70ae 5428->5430 5431 5f4a68 _errno 5 API calls 5428->5431 5429->5430 5430->5398 5430->5413 5432 5f70ed 5431->5432 5433 5f46b8 _invalid_parameter_noinfo 8 API calls 5432->5433 5433->5430 5435 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5434->5435 5436 5f8364 5435->5436 5436->5415 5438 5f1ba4 _getptd_noexit 5 API calls 5437->5438 5439 5f4a29 5438->5439 5440 5f1ba4 _getptd_noexit 5 API calls 5439->5440 5441 5f4a42 free 5440->5441 5441->5401 5443 5f8275 5442->5443 5446 5f828a 5442->5446 5444 5f49f8 __doserrno 5 API calls 5443->5444 5445 5f827a 5444->5445 5448 5f4a68 _errno 5 API calls 5445->5448 5447 5f49f8 __doserrno 5 API calls 5446->5447 5451 5f8282 5446->5451 5449 5f82c4 5447->5449 5448->5451 5450 5f4a68 _errno 5 API calls 5449->5450 5452 5f82cc 5450->5452 5451->5420 5451->5421 5453 5f46b8 _invalid_parameter_noinfo 8 API calls 5452->5453 5453->5451 5455 5f826c _get_osfhandle 13 API calls 5454->5455 5456 5f86bc 5455->5456 5458 5f86f8 5456->5458 5459 5f826c _get_osfhandle 13 API calls 5456->5459 5466 5f8711 __crtMessageBoxW 5456->5466 5460 5f826c _get_osfhandle 13 API calls 5458->5460 5458->5466 5462 5f86eb 5459->5462 5463 5f8704 CloseHandle 5460->5463 5465 5f826c _get_osfhandle 13 API calls 5462->5465 5463->5466 5464 5f8750 5464->5346 5465->5458 5469 5f81c0 5466->5469 5467 5f4a18 _dosmaperr 5 API calls 5467->5464 5470 5f81d4 5469->5470 5471 5f8243 5469->5471 5470->5471 5476 5f8206 5470->5476 5472 5f4a68 _errno 5 API calls 5471->5472 5473 5f8248 5472->5473 5474 5f49f8 __doserrno 5 API calls 5473->5474 5475 5f8236 5474->5475 5475->5464 5475->5467 5476->5475 5477 5f822e SetStdHandle 5476->5477 5477->5475 5739 5facdc 5740 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5739->5740 5741 5facfa 5740->5741 5742 5fad02 5741->5742 5743 5fad5f 5741->5743 5749 5fad1f 5742->5749 5751 5fb1e8 5742->5751 5744 5fad80 5743->5744 5745 5f830c _isleadbyte_l 38 API calls 5743->5745 5746 5f4a68 _errno 5 API calls 5744->5746 5748 5fad84 5744->5748 5745->5744 5746->5748 5750 5f5ed0 __crtLCMapStringA 44 API calls 5748->5750 5750->5749 5752 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5751->5752 5753 5fb20a 5752->5753 5754 5fb214 5753->5754 5755 5f830c _isleadbyte_l 38 API calls 5753->5755 5754->5749 5756 5fb237 5755->5756 5757 5f60e0 __crtGetStringTypeA 43 API calls 5756->5757 5757->5754 5781 5f879c 5782 5f87b7 5781->5782 5783 5f87b1 CloseHandle 5781->5783 5783->5782 5478 5fa958 5479 5fa960 5478->5479 5480 5fa980 5479->5480 5482 5f88c8 5479->5482 5483 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5482->5483 5484 5f88f7 5483->5484 5491 5f95a0 5484->5491 5489 5f1430 _NMSG_WRITE 3 API calls 5490 5f897e 5489->5490 5490->5480 5492 5f9604 5491->5492 5498 5f9614 __mtold12 5491->5498 5493 5f4a68 _errno 5 API calls 5492->5493 5494 5f9609 5493->5494 5495 5f46b8 _invalid_parameter_noinfo 8 API calls 5494->5495 5495->5498 5496 5f1430 _NMSG_WRITE 3 API calls 5497 5f8925 5496->5497 5499 5f8a30 5497->5499 5498->5496 5502 5f8aaf _ld12tod 5499->5502 5500 5f1430 _NMSG_WRITE 3 API calls 5501 5f8934 5500->5501 5501->5489 5502->5500 5768 5f87f8 5769 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5768->5769 5770 5f8828 5769->5770 5771 5f95a0 __strgtold12_l 13 API calls 5770->5771 5772 5f8856 5771->5772 5777 5f8fe8 5772->5777 5775 5f1430 _NMSG_WRITE 3 API calls 5776 5f88bc 5775->5776 5779 5f9067 _ld12tod 5777->5779 5778 5f1430 _NMSG_WRITE 3 API calls 5780 5f8872 5778->5780 5779->5778 5779->5779 5780->5775 5791 5fa8b8 5792 5fa8c0 5791->5792 5793 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5792->5793 5794 5fa8d3 5793->5794 5758 5fbdd6 5759 5fbe0a 5758->5759 5760 5fbdf8 5758->5760 5761 5f1450 _CRT_INIT 82 API calls 5760->5761 5761->5759 5503 5f4d54 5504 5f1b80 _getptd 38 API calls 5503->5504 5506 5f4d5d 5504->5506 5508 5f68f4 5506->5508 5509 5f68fd 5508->5509 5510 5f690c 5509->5510 5516 5f4e08 5509->5516 5512 5f693e raise 5510->5512 5513 5f6915 IsProcessorFeaturePresent 5510->5513 5514 5f6923 5513->5514 5515 5f4554 _call_reportfault 7 API calls 5514->5515 5515->5512 5517 5f4e3c 5516->5517 5518 5f4e70 DecodePointer 5516->5518 5517->5518 5519 5f4ea3 5517->5519 5522 5f4e50 5517->5522 5524 5f4ea8 raise 5518->5524 5521 5f1ba4 _getptd_noexit 5 API calls 5519->5521 5521->5524 5522->5518 5523 5f4e5e 5522->5523 5526 5f4a68 _errno 5 API calls 5523->5526 5525 5f4fc4 EncodePointer 5524->5525 5527 5f4e6e 5524->5527 5525->5527 5528 5f4e63 5526->5528 5527->5510 5529 5f46b8 _invalid_parameter_noinfo 8 API calls 5528->5529 5529->5527 5718 5fbf32 5719 5f5278 _fflush_nolock LeaveCriticalSection 5718->5719 5720 5fbf52 5719->5720 4334 5f15b0 4335 5f15cc 4334->4335 4339 5f15d1 4334->4339 4348 5f2aa8 4335->4348 4337 5f1626 4338 5f165c 4338->4337 4394 5f1070 4338->4394 4339->4337 4339->4338 4353 5f1450 4339->4353 4349 5f2b3f 4348->4349 4350 5f2ad0 GetSystemTimeAsFileTime 4348->4350 4349->4339 4405 5fc068 4350->4405 4354 5f14df 4353->4354 4355 5f1462 4353->4355 4357 5f1535 4354->4357 4363 5f14e3 _CRT_INIT 4354->4363 4407 5f22a8 GetProcessHeap 4355->4407 4358 5f153a 4357->4358 4359 5f1598 4357->4359 4517 5f2d64 4358->4517 4387 5f146b _initptd _CRT_INIT 4359->4387 4521 5f1b44 4359->4521 4360 5f1467 4360->4387 4408 5f1cec 4360->4408 4363->4387 4494 5f1dec DecodePointer 4363->4494 4367 5f1477 _RTC_Initialize 4373 5f1487 GetCommandLineA 4367->4373 4367->4387 4370 5f2604 _ioterm 6 API calls 4372 5f1515 4370->4372 4375 5f1d6c _mtterm 8 API calls 4372->4375 4421 5f2b54 GetEnvironmentStringsW 4373->4421 4374 5f1d6c _mtterm 8 API calls 4374->4387 4378 5f151a _CRT_INIT 4375->4378 4378->4374 4378->4387 4383 5f14a5 4384 5f14a9 4383->4384 4456 5f2678 4383->4456 4447 5f1d6c 4384->4447 4387->4338 4389 5f14c9 4389->4387 4489 5f2604 4389->4489 5246 5f1000 FindResourceA SizeofResource LoadResource 4394->5246 4396 5f11af 5247 5f1000 FindResourceA SizeofResource LoadResource 4396->5247 4398 5f11c3 8 API calls 5248 5f1390 CreateFileW 4398->5248 4401 5f1390 _DllMainCRTStartup 2 API calls 4402 5f1309 ShellExecuteW 4401->4402 5252 5fc020 4402->5252 4404 5f133c ShellExecuteW ExitProcess 4406 5fc06f 4405->4406 4407->4360 4529 5f2010 EncodePointer 4408->4529 4410 5f1cf7 4533 5f37c0 4410->4533 4413 5f1d3c 4414 5f1d6c _mtterm 8 API calls 4413->4414 4416 5f1d40 _initptd _CRT_INIT 4413->4416 4414->4416 4416->4367 4422 5f1499 4421->4422 4423 5f2b82 WideCharToMultiByte 4421->4423 4434 5f22d4 4422->4434 4425 5f2c22 FreeEnvironmentStringsW 4423->4425 4426 5f2bd1 4423->4426 4425->4422 4545 5f32d8 4426->4545 4429 5f2be1 WideCharToMultiByte 4430 5f2c09 4429->4430 4431 5f2c14 FreeEnvironmentStringsW 4429->4431 4550 5f2a68 4430->4550 4431->4422 4433 5f2c11 4433->4431 4435 5f2303 4434->4435 4436 5f3258 _ioinit 5 API calls 4435->4436 4445 5f2317 _ioinit 4436->4445 4437 5f2327 _ioinit 4437->4383 4438 5f2536 GetStdHandle 4440 5f2561 GetFileType 4438->4440 4441 5f24ee 4438->4441 4439 5f3258 _ioinit 5 API calls 4439->4445 4440->4441 4441->4437 4441->4438 4444 5f2d9c _ioinit InitializeCriticalSectionAndSpinCount 4441->4444 4442 5f2408 4442->4441 4443 5f2490 GetFileType 4442->4443 4446 5f2d9c _ioinit InitializeCriticalSectionAndSpinCount 4442->4446 4443->4442 4444->4441 4445->4437 4445->4439 4445->4441 4445->4442 4446->4442 4448 5f1d7b 4447->4448 4450 5f1d80 4447->4450 4750 5f2d48 4448->4750 4451 5f36a8 DeleteCriticalSection 4450->4451 4452 5f36c6 4450->4452 4453 5f2a68 free 5 API calls 4451->4453 4454 5f36ea 4452->4454 4455 5f36db DeleteCriticalSection 4452->4455 4453->4450 4454->4387 4455->4452 4457 5f2695 GetModuleFileNameA 4456->4457 4458 5f2690 4456->4458 4460 5f26c7 4457->4460 4754 5f3be0 4458->4754 4758 5f276c 4460->4758 4462 5f14b5 4462->4389 4467 5f2934 4462->4467 4464 5f32d8 _malloc_crt 33 API calls 4465 5f271b 4464->4465 4465->4462 4466 5f276c parse_cmdline 38 API calls 4465->4466 4466->4462 4468 5f2951 4467->4468 4471 5f2956 _NMSG_WRITE 4467->4471 4469 5f3be0 __initmbctable 51 API calls 4468->4469 4469->4471 4470 5f14be 4470->4389 4483 5f1f6c 4470->4483 4471->4470 4472 5f3258 _ioinit 5 API calls 4471->4472 4479 5f2996 _NMSG_WRITE 4472->4479 4473 5f29fa 4474 5f2a68 free 5 API calls 4473->4474 4474->4470 4475 5f3258 _ioinit 5 API calls 4475->4479 4476 5f2a36 4478 5f2a68 free 5 API calls 4476->4478 4478->4470 4479->4470 4479->4473 4479->4475 4479->4476 4480 5f2a4f 4479->4480 5160 5f5328 4479->5160 4481 5f46d8 _invoke_watson 7 API calls 4480->4481 4482 5f2a64 4481->4482 4485 5f1f7e _IsNonwritableInCurrentImage 4483->4485 5169 5f4d18 4485->5169 4486 5f1f9b _initterm_e 4488 5f1fbe _cinit _IsNonwritableInCurrentImage 4486->4488 5172 5f4d00 4486->5172 4488->4389 4491 5f261f 4489->4491 4490 5f2667 4490->4384 4491->4490 4492 5f2636 DeleteCriticalSection 4491->4492 4493 5f2a68 free 5 API calls 4491->4493 4492->4491 4493->4491 4495 5f1e25 4494->4495 4496 5f1e12 4494->4496 4497 5f2a68 free 5 API calls 4495->4497 4496->4495 4499 5f2a68 free 5 API calls 4496->4499 4498 5f1e34 4497->4498 4500 5f1e5b 4498->4500 4502 5f2a68 free 5 API calls 4498->4502 4499->4496 4501 5f2a68 free 5 API calls 4500->4501 4503 5f1e6a 4501->4503 4502->4498 4504 5f2a68 free 5 API calls 4503->4504 4505 5f1e7e 4504->4505 4506 5f2a68 free 5 API calls 4505->4506 4507 5f1e8a 4506->4507 4508 5f1eb5 EncodePointer 4507->4508 4511 5f2a68 free 5 API calls 4507->4511 4509 5f1ed6 4508->4509 4510 5f1ed1 4508->4510 4513 5f2a68 free 5 API calls 4509->4513 4514 5f1eef 4509->4514 4512 5f2a68 free 5 API calls 4510->4512 4511->4508 4512->4509 4513->4514 4515 5f2a68 free 5 API calls 4514->4515 4516 5f150b 4514->4516 4515->4516 4516->4370 4516->4378 4518 5f2d77 TlsGetValue 4517->4518 4519 5f2d74 4517->4519 4520 5fc168 4518->4520 4519->4518 4522 5f1b7a 4521->4522 4523 5f1b58 4521->4523 4522->4387 4524 5f1b62 4523->4524 4526 5f2d64 _freeptd TlsGetValue 4523->4526 4525 5f2d80 _freeptd TlsSetValue 4524->4525 4527 5f1b72 4525->4527 4526->4524 5222 5f1a10 4527->5222 4530 5f2029 _init_pointers 4529->4530 4541 5f4d74 EncodePointer 4530->4541 4532 5f2049 _init_pointers 4532->4410 4534 5f37db 4533->4534 4536 5f1cfc 4534->4536 4542 5f2d9c 4534->4542 4536->4413 4537 5f2d2c 4536->4537 4538 5f2d3f TlsAlloc 4537->4538 4539 5f2d3c 4537->4539 4540 5fc160 4538->4540 4539->4538 4541->4532 4543 5f2db7 InitializeCriticalSectionAndSpinCount 4542->4543 4544 5f2db0 4542->4544 4543->4534 4544->4543 4546 5f3300 4545->4546 4548 5f2bd9 4546->4548 4549 5f3314 Sleep 4546->4549 4554 5f5448 4546->4554 4548->4425 4548->4429 4549->4546 4549->4548 4551 5f2a6d free 4550->4551 4552 5f2a8d free __crtMessageBoxW 4550->4552 4551->4552 4553 5f4a68 _errno 5 API calls 4551->4553 4552->4433 4553->4552 4555 5f54dc 4554->4555 4566 5f5460 4554->4566 4556 5f4d94 _callnewh DecodePointer 4555->4556 4557 5f54e1 4556->4557 4560 5f4a68 _errno 5 API calls 4557->4560 4558 5f5498 HeapAlloc 4561 5f54d1 4558->4561 4558->4566 4560->4561 4561->4546 4562 5f54c1 4620 5f4a68 4562->4620 4566->4558 4566->4562 4567 5f54c6 4566->4567 4570 5f4714 4566->4570 4579 5f4788 4566->4579 4615 5f1dd4 4566->4615 4618 5f4d94 DecodePointer 4566->4618 4569 5f4a68 _errno 5 API calls 4567->4569 4569->4561 4623 5f65f8 4570->4623 4573 5f4731 4575 5f4788 _NMSG_WRITE 30 API calls 4573->4575 4577 5f4752 4573->4577 4574 5f65f8 _set_error_mode 13 API calls 4574->4573 4576 5f4748 4575->4576 4578 5f4788 _NMSG_WRITE 30 API calls 4576->4578 4577->4566 4578->4577 4580 5f47bc _NMSG_WRITE 4579->4580 4582 5f65f8 _set_error_mode 13 API calls 4580->4582 4589 5f48f6 _NMSG_WRITE 4580->4589 4584 5f47d2 4582->4584 4583 5f4973 4583->4566 4585 5f48f8 GetStdHandle 4584->4585 4586 5f65f8 _set_error_mode 13 API calls 4584->4586 4585->4589 4587 5f47e3 4586->4587 4587->4585 4588 5f47f4 4587->4588 4588->4589 4650 5f64a4 4588->4650 4708 5f1430 4589->4708 4591 5f49e3 4592 5f46d8 _invoke_watson 7 API calls 4591->4592 4593 5f49f6 4592->4593 4594 5f481f _NMSG_WRITE 4594->4591 4595 5f64a4 _NMSG_WRITE 13 API calls 4594->4595 4597 5f4867 _NMSG_WRITE 4594->4597 4596 5f485f 4595->4596 4596->4597 4599 5f4990 4596->4599 4598 5f48b1 4597->4598 4659 5f652c 4597->4659 4668 5f641c 4598->4668 4601 5f46d8 _invoke_watson 7 API calls 4599->4601 4603 5f49a4 4601->4603 4609 5f46d8 _invoke_watson 7 API calls 4603->4609 4605 5f49ce 4606 5f46d8 _invoke_watson 7 API calls 4605->4606 4606->4591 4608 5f641c _NMSG_WRITE 13 API calls 4610 5f48d9 4608->4610 4611 5f49b9 4609->4611 4610->4611 4612 5f48e1 4610->4612 4613 5f46d8 _invoke_watson 7 API calls 4611->4613 4677 5f6638 EncodePointer 4612->4677 4613->4605 4721 5f1d90 4615->4721 4617 5f1de1 ExitProcess 4619 5f4daf 4618->4619 4619->4566 4723 5f1ba4 4620->4723 4622 5f4a71 4622->4567 4624 5f6600 4623->4624 4625 5f4a68 _errno 5 API calls 4624->4625 4626 5f4722 4624->4626 4627 5f6625 4625->4627 4626->4573 4626->4574 4629 5f46b8 4627->4629 4632 5f4650 DecodePointer 4629->4632 4633 5f468e 4632->4633 4638 5f46d8 4633->4638 4639 5f46e6 4638->4639 4642 5f4554 4639->4642 4643 5f458f _ld12tod _call_reportfault 4642->4643 4644 5f2c48 __crtCaptureCurrentContext RtlCaptureContext RtlLookupFunctionEntry 4643->4644 4645 5f45c7 IsDebuggerPresent 4644->4645 4646 5f3238 __crtUnhandledException UnhandledExceptionFilter 4645->4646 4649 5f460a _call_reportfault 4646->4649 4647 5f1430 _NMSG_WRITE IsProcessorFeaturePresent RtlCaptureContext RtlLookupFunctionEntry 4648 5f462d 4647->4648 4649->4647 4651 5f64b2 4650->4651 4653 5f64bc 4650->4653 4651->4653 4657 5f64d9 4651->4657 4652 5f4a68 _errno 5 API calls 4654 5f64c5 4652->4654 4653->4652 4655 5f46b8 _invalid_parameter_noinfo 8 API calls 4654->4655 4656 5f64d1 4655->4656 4656->4594 4657->4656 4658 5f4a68 _errno 5 API calls 4657->4658 4658->4654 4664 5f6539 4659->4664 4660 5f653e 4661 5f4a68 _errno 5 API calls 4660->4661 4662 5f48a9 4660->4662 4663 5f6568 4661->4663 4662->4598 4662->4603 4665 5f46b8 _invalid_parameter_noinfo 8 API calls 4663->4665 4664->4660 4664->4662 4666 5f657c 4664->4666 4665->4662 4666->4662 4667 5f4a68 _errno 5 API calls 4666->4667 4667->4663 4669 5f6437 4668->4669 4672 5f642d 4668->4672 4670 5f4a68 _errno 5 API calls 4669->4670 4671 5f6440 4670->4671 4673 5f46b8 _invalid_parameter_noinfo 8 API calls 4671->4673 4672->4669 4675 5f646e 4672->4675 4674 5f48c3 4673->4674 4674->4605 4674->4608 4675->4674 4676 5f4a68 _errno 5 API calls 4675->4676 4676->4671 4678 5f6671 __crtIsPackagedApp 4677->4678 4679 5f6779 IsDebuggerPresent 4678->4679 4680 5f6681 LoadLibraryExW 4678->4680 4681 5f6783 4679->4681 4682 5f67a0 4679->4682 4683 5f669e __crtMessageBoxW 4680->4683 4684 5f66cb _init_pointers 4680->4684 4685 5f6788 OutputDebugStringW 4681->4685 4686 5f6791 4681->4686 4682->4686 4687 5f67a5 DecodePointer 4682->4687 4688 5f66ad LoadLibraryExW 4683->4688 4697 5f6796 4683->4697 4692 5f66e4 EncodePointer 4684->4692 4684->4697 4685->4686 4693 5f67d1 DecodePointer DecodePointer 4686->4693 4686->4697 4701 5f67ef 4686->4701 4687->4697 4688->4684 4688->4697 4689 5f1430 _NMSG_WRITE 3 API calls 4694 5f689c 4689->4694 4690 5f686b DecodePointer 4690->4697 4691 5f6837 DecodePointer 4691->4690 4695 5f6842 4691->4695 4715 5fc0a8 4692->4715 4693->4701 4694->4589 4695->4690 4702 5f6858 DecodePointer 4695->4702 4697->4689 4701->4690 4701->4691 4704 5f6825 4701->4704 4702->4690 4702->4704 4704->4690 4709 5f1439 4708->4709 4710 5f1444 4709->4710 4711 5f175c IsProcessorFeaturePresent 4709->4711 4710->4583 4712 5f1773 4711->4712 4717 5f2cb8 RtlCaptureContext 4712->4717 4714 5f1786 4714->4583 4716 5fc0af 4715->4716 4718 5f2cd2 RtlLookupFunctionEntry 4717->4718 4719 5f2ce8 __crtCapturePreviousContext 4718->4719 4720 5f2d21 4718->4720 4719->4718 4719->4720 4720->4714 4722 5f1dac malloc _init_pointers 4721->4722 4722->4617 4724 5f1bb4 __crtMessageBoxW 4723->4724 4725 5f2d64 _freeptd TlsGetValue 4724->4725 4726 5f1bc1 4725->4726 4727 5f1c10 SetLastError 4726->4727 4734 5f3258 4726->4734 4727->4622 4737 5f327d 4734->4737 4736 5f1bd6 4736->4727 4738 5f2d80 4736->4738 4737->4736 4742 5f55d4 4737->4742 4739 5f2d93 TlsSetValue 4738->4739 4740 5f2d90 4738->4740 4741 5fc170 4739->4741 4740->4739 4743 5f55e9 4742->4743 4747 5f5606 4742->4747 4744 5f55f7 4743->4744 4743->4747 4745 5f4a68 _errno 4 API calls 4744->4745 4748 5f55fc 4745->4748 4746 5f561e HeapAlloc 4746->4747 4746->4748 4747->4746 4747->4748 4749 5f4d94 _callnewh DecodePointer 4747->4749 4748->4737 4749->4747 4751 5f2d5b TlsFree 4750->4751 4752 5f2d58 4750->4752 4753 5fc178 4751->4753 4752->4751 4755 5f3bed 4754->4755 4756 5f3bf7 4754->4756 4764 5f4060 4755->4764 4756->4457 4760 5f27aa 4758->4760 4763 5f2810 4760->4763 5156 5f5314 4760->5156 4761 5f26eb 4761->4462 4761->4464 4762 5f5314 parse_cmdline 38 API calls 4762->4763 4763->4761 4763->4762 4784 5f1b80 4764->4784 4770 5f409a 4771 5f32d8 _malloc_crt 33 API calls 4770->4771 4781 5f4248 4770->4781 4772 5f40b0 4771->4772 4772->4781 4801 5f42a4 4772->4801 4775 5f425b 4777 5f4274 4775->4777 4780 5f2a68 free 5 API calls 4775->4780 4775->4781 4776 5f4146 4779 5f2a68 free 5 API calls 4776->4779 4782 5f416a 4776->4782 4778 5f4a68 _errno 5 API calls 4777->4778 4778->4781 4779->4782 4780->4777 4781->4756 4782->4781 4783 5f2a68 free 5 API calls 4782->4783 4783->4781 4785 5f1ba4 _getptd_noexit 5 API calls 4784->4785 4786 5f1b8b 4785->4786 4787 5f1b9b 4786->4787 4810 5f1f34 4786->4810 4789 5f3fa4 4787->4789 4790 5f1b80 _getptd 38 API calls 4789->4790 4793 5f3fb3 4790->4793 4791 5f3fce 4792 5f4050 4791->4792 4794 5f1f34 _amsg_exit 38 API calls 4791->4794 4796 5f3cb0 4792->4796 4793->4791 4795 5f2a68 free 5 API calls 4793->4795 4794->4792 4795->4791 4828 5f3c08 4796->4828 4799 5f3ce7 GetACP 4800 5f3cd0 getSystemCP 4799->4800 4800->4770 4802 5f3cb0 getSystemCP 39 API calls 4801->4802 4804 5f42d1 _setmbcp_nolock 4802->4804 4803 5f42d9 setSBCS 4805 5f1430 _NMSG_WRITE 3 API calls 4803->4805 4804->4803 4807 5f432c GetCPInfo 4804->4807 4809 5f4341 _ld12tod 4804->4809 4806 5f413b 4805->4806 4806->4775 4806->4776 4807->4803 4807->4809 5094 5f3dc0 GetCPInfo 4809->5094 4811 5f4714 _FF_MSGBANNER 30 API calls 4810->4811 4812 5f1f41 4811->4812 4813 5f4788 _NMSG_WRITE 30 API calls 4812->4813 4814 5f1f48 4813->4814 4817 5f2110 4814->4817 4818 5f213e 4817->4818 4819 5f2165 DecodePointer 4818->4819 4822 5f222c _cinit malloc 4818->4822 4820 5f2183 DecodePointer 4819->4820 4819->4822 4821 5f21a8 4820->4821 4821->4822 4823 5f21b6 EncodePointer 4821->4823 4826 5f21ca DecodePointer EncodePointer 4821->4826 4824 5f1f59 4822->4824 4825 5f2283 ExitProcess 4822->4825 4823->4821 4825->4824 4827 5f21e3 DecodePointer DecodePointer 4826->4827 4827->4821 4829 5f3c1e 4828->4829 4830 5f3c7f 4828->4830 4831 5f1b80 _getptd 38 API calls 4829->4831 4830->4799 4830->4800 4832 5f3c23 4831->4832 4834 5f3c58 4832->4834 4836 5f3b04 4832->4836 4834->4830 4835 5f3fa4 __updatetmbcinfo 38 API calls 4834->4835 4835->4830 4837 5f1b80 _getptd 38 API calls 4836->4837 4838 5f3b0f 4837->4838 4839 5f3b38 4838->4839 4840 5f3b2a 4838->4840 4846 5f3b7c 4839->4846 4841 5f1b80 _getptd 38 API calls 4840->4841 4843 5f3b2f 4841->4843 4844 5f3b70 4843->4844 4845 5f1f34 _amsg_exit 38 API calls 4843->4845 4844->4834 4845->4844 4847 5f3bcc 4846->4847 4848 5f3b8e __addlocaleref _updatetlocinfoEx_nolock 4846->4848 4847->4843 4848->4847 4850 5f38c8 4848->4850 4851 5f3964 4850->4851 4853 5f38eb 4850->4853 4852 5f39b7 4851->4852 4854 5f2a68 free 5 API calls 4851->4854 4865 5f39e4 4852->4865 4918 5f57e8 4852->4918 4853->4851 4856 5f392a 4853->4856 4864 5f2a68 free 5 API calls 4853->4864 4857 5f3988 4854->4857 4860 5f394c 4856->4860 4867 5f2a68 free 5 API calls 4856->4867 4859 5f2a68 free 5 API calls 4857->4859 4866 5f399c 4859->4866 4861 5f2a68 free 5 API calls 4860->4861 4868 5f3958 4861->4868 4862 5f3a42 4863 5f2a68 free 5 API calls 4863->4865 4869 5f391e 4864->4869 4865->4862 4870 5f2a68 5 API calls free 4865->4870 4871 5f2a68 free 5 API calls 4866->4871 4873 5f3940 4867->4873 4874 5f2a68 free 5 API calls 4868->4874 4878 5f5670 4869->4878 4870->4865 4872 5f39ab 4871->4872 4876 5f2a68 free 5 API calls 4872->4876 4906 5f577c 4873->4906 4874->4851 4876->4852 4879 5f5774 4878->4879 4880 5f5679 4878->4880 4879->4856 4881 5f5693 4880->4881 4882 5f2a68 free 5 API calls 4880->4882 4883 5f56a5 4881->4883 4885 5f2a68 free 5 API calls 4881->4885 4882->4881 4884 5f56b7 4883->4884 4886 5f2a68 free 5 API calls 4883->4886 4887 5f56c9 4884->4887 4888 5f2a68 free 5 API calls 4884->4888 4885->4883 4886->4884 4889 5f56db 4887->4889 4890 5f2a68 free 5 API calls 4887->4890 4888->4887 4891 5f56ed 4889->4891 4892 5f2a68 free 5 API calls 4889->4892 4890->4889 4893 5f56ff 4891->4893 4894 5f2a68 free 5 API calls 4891->4894 4892->4891 4895 5f5711 4893->4895 4896 5f2a68 free 5 API calls 4893->4896 4894->4893 4897 5f5723 4895->4897 4898 5f2a68 free 5 API calls 4895->4898 4896->4895 4899 5f5735 4897->4899 4900 5f2a68 free 5 API calls 4897->4900 4898->4897 4901 5f574a 4899->4901 4902 5f2a68 free 5 API calls 4899->4902 4900->4899 4903 5f575f 4901->4903 4904 5f2a68 free 5 API calls 4901->4904 4902->4901 4903->4879 4905 5f2a68 free 5 API calls 4903->4905 4904->4903 4905->4879 4907 5f5781 4906->4907 4916 5f57e2 4906->4916 4908 5f579a 4907->4908 4909 5f2a68 free 5 API calls 4907->4909 4910 5f57ac 4908->4910 4911 5f2a68 free 5 API calls 4908->4911 4909->4908 4912 5f2a68 free 5 API calls 4910->4912 4913 5f57be 4910->4913 4911->4910 4912->4913 4914 5f57d0 4913->4914 4915 5f2a68 free 5 API calls 4913->4915 4914->4916 4917 5f2a68 free 5 API calls 4914->4917 4915->4914 4916->4860 4917->4916 4919 5f39d8 4918->4919 4920 5f57f1 4918->4920 4919->4863 4921 5f2a68 free 5 API calls 4920->4921 4922 5f5802 4921->4922 4923 5f2a68 free 5 API calls 4922->4923 4924 5f580b 4923->4924 4925 5f2a68 free 5 API calls 4924->4925 4926 5f5814 4925->4926 4927 5f2a68 free 5 API calls 4926->4927 4928 5f581d 4927->4928 4929 5f2a68 free 5 API calls 4928->4929 4930 5f5826 4929->4930 4931 5f2a68 free 5 API calls 4930->4931 4932 5f582f 4931->4932 4933 5f2a68 free 5 API calls 4932->4933 4934 5f5837 4933->4934 4935 5f2a68 free 5 API calls 4934->4935 4936 5f5840 4935->4936 4937 5f2a68 free 5 API calls 4936->4937 4938 5f5849 4937->4938 4939 5f2a68 free 5 API calls 4938->4939 4940 5f5852 4939->4940 4941 5f2a68 free 5 API calls 4940->4941 4942 5f585b 4941->4942 4943 5f2a68 free 5 API calls 4942->4943 4944 5f5864 4943->4944 4945 5f2a68 free 5 API calls 4944->4945 4946 5f586d 4945->4946 4947 5f2a68 free 5 API calls 4946->4947 4948 5f5876 4947->4948 4949 5f2a68 free 5 API calls 4948->4949 4950 5f587f 4949->4950 4951 5f2a68 free 5 API calls 4950->4951 4952 5f5888 4951->4952 4953 5f2a68 free 5 API calls 4952->4953 4954 5f5894 4953->4954 4955 5f2a68 free 5 API calls 4954->4955 4956 5f58a0 4955->4956 4957 5f2a68 free 5 API calls 4956->4957 4958 5f58ac 4957->4958 4959 5f2a68 free 5 API calls 4958->4959 4960 5f58b8 4959->4960 4961 5f2a68 free 5 API calls 4960->4961 4962 5f58c4 4961->4962 4963 5f2a68 free 5 API calls 4962->4963 4964 5f58d0 4963->4964 4965 5f2a68 free 5 API calls 4964->4965 4966 5f58dc 4965->4966 4967 5f2a68 free 5 API calls 4966->4967 4968 5f58e8 4967->4968 4969 5f2a68 free 5 API calls 4968->4969 4970 5f58f4 4969->4970 4971 5f2a68 free 5 API calls 4970->4971 4972 5f5900 4971->4972 4973 5f2a68 free 5 API calls 4972->4973 4974 5f590c 4973->4974 4975 5f2a68 free 5 API calls 4974->4975 4976 5f5918 4975->4976 4977 5f2a68 free 5 API calls 4976->4977 4978 5f5924 4977->4978 4979 5f2a68 free 5 API calls 4978->4979 4980 5f5930 4979->4980 4981 5f2a68 free 5 API calls 4980->4981 4982 5f593c 4981->4982 4983 5f2a68 free 5 API calls 4982->4983 4984 5f5948 4983->4984 4985 5f2a68 free 5 API calls 4984->4985 4986 5f5954 4985->4986 4987 5f2a68 free 5 API calls 4986->4987 4988 5f5960 4987->4988 4989 5f2a68 free 5 API calls 4988->4989 4990 5f596c 4989->4990 4991 5f2a68 free 5 API calls 4990->4991 4992 5f5978 4991->4992 4993 5f2a68 free 5 API calls 4992->4993 4994 5f5984 4993->4994 4995 5f2a68 free 5 API calls 4994->4995 4996 5f5990 4995->4996 4997 5f2a68 free 5 API calls 4996->4997 4998 5f599c 4997->4998 4999 5f2a68 free 5 API calls 4998->4999 5000 5f59a8 4999->5000 5001 5f2a68 free 5 API calls 5000->5001 5002 5f59b4 5001->5002 5003 5f2a68 free 5 API calls 5002->5003 5004 5f59c0 5003->5004 5005 5f2a68 free 5 API calls 5004->5005 5006 5f59cc 5005->5006 5007 5f2a68 free 5 API calls 5006->5007 5008 5f59d8 5007->5008 5009 5f2a68 free 5 API calls 5008->5009 5010 5f59e4 5009->5010 5011 5f2a68 free 5 API calls 5010->5011 5012 5f59f0 5011->5012 5013 5f2a68 free 5 API calls 5012->5013 5014 5f59fc 5013->5014 5015 5f2a68 free 5 API calls 5014->5015 5016 5f5a08 5015->5016 5017 5f2a68 free 5 API calls 5016->5017 5018 5f5a14 5017->5018 5019 5f2a68 free 5 API calls 5018->5019 5020 5f5a20 5019->5020 5021 5f2a68 free 5 API calls 5020->5021 5022 5f5a2c 5021->5022 5023 5f2a68 free 5 API calls 5022->5023 5024 5f5a38 5023->5024 5025 5f2a68 free 5 API calls 5024->5025 5026 5f5a44 5025->5026 5027 5f2a68 free 5 API calls 5026->5027 5028 5f5a50 5027->5028 5029 5f2a68 free 5 API calls 5028->5029 5030 5f5a5c 5029->5030 5031 5f2a68 free 5 API calls 5030->5031 5032 5f5a68 5031->5032 5033 5f2a68 free 5 API calls 5032->5033 5034 5f5a74 5033->5034 5035 5f2a68 free 5 API calls 5034->5035 5036 5f5a80 5035->5036 5037 5f2a68 free 5 API calls 5036->5037 5038 5f5a8c 5037->5038 5039 5f2a68 free 5 API calls 5038->5039 5040 5f5a98 5039->5040 5041 5f2a68 free 5 API calls 5040->5041 5042 5f5aa4 5041->5042 5043 5f2a68 free 5 API calls 5042->5043 5044 5f5ab0 5043->5044 5045 5f2a68 free 5 API calls 5044->5045 5046 5f5abc 5045->5046 5047 5f2a68 free 5 API calls 5046->5047 5048 5f5ac8 5047->5048 5049 5f2a68 free 5 API calls 5048->5049 5050 5f5ad4 5049->5050 5051 5f2a68 free 5 API calls 5050->5051 5052 5f5ae0 5051->5052 5053 5f2a68 free 5 API calls 5052->5053 5054 5f5aec 5053->5054 5055 5f2a68 free 5 API calls 5054->5055 5056 5f5af8 5055->5056 5057 5f2a68 free 5 API calls 5056->5057 5058 5f5b04 5057->5058 5059 5f2a68 free 5 API calls 5058->5059 5060 5f5b10 5059->5060 5061 5f2a68 free 5 API calls 5060->5061 5062 5f5b1c 5061->5062 5063 5f2a68 free 5 API calls 5062->5063 5064 5f5b28 5063->5064 5065 5f2a68 free 5 API calls 5064->5065 5066 5f5b34 5065->5066 5067 5f2a68 free 5 API calls 5066->5067 5068 5f5b40 5067->5068 5069 5f2a68 free 5 API calls 5068->5069 5070 5f5b4c 5069->5070 5071 5f2a68 free 5 API calls 5070->5071 5072 5f5b58 5071->5072 5073 5f2a68 free 5 API calls 5072->5073 5074 5f5b64 5073->5074 5075 5f2a68 free 5 API calls 5074->5075 5076 5f5b70 5075->5076 5077 5f2a68 free 5 API calls 5076->5077 5078 5f5b7c 5077->5078 5079 5f2a68 free 5 API calls 5078->5079 5080 5f5b88 5079->5080 5081 5f2a68 free 5 API calls 5080->5081 5082 5f5b94 5081->5082 5083 5f2a68 free 5 API calls 5082->5083 5084 5f5ba0 5083->5084 5085 5f2a68 free 5 API calls 5084->5085 5086 5f5bac 5085->5086 5087 5f2a68 free 5 API calls 5086->5087 5088 5f5bb8 5087->5088 5089 5f2a68 free 5 API calls 5088->5089 5090 5f5bc4 5089->5090 5091 5f2a68 free 5 API calls 5090->5091 5092 5f5bd0 5091->5092 5093 5f2a68 free 5 API calls 5092->5093 5093->4919 5095 5f3e09 5094->5095 5103 5f3ee9 5094->5103 5104 5f60e0 5095->5104 5098 5f1430 _NMSG_WRITE 3 API calls 5099 5f3f8c 5098->5099 5099->4803 5102 5f5ed0 __crtLCMapStringA 44 API calls 5102->5103 5103->5098 5105 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5104->5105 5106 5f6104 5105->5106 5114 5f5f68 5106->5114 5109 5f5ed0 5110 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5109->5110 5111 5f5ef5 5110->5111 5127 5f5be4 5111->5127 5115 5f5fa9 5114->5115 5116 5f5fb0 MultiByteToWideChar 5114->5116 5115->5116 5117 5f5fda 5116->5117 5124 5f5fd3 5116->5124 5120 5f5448 malloc 32 API calls 5117->5120 5125 5f6009 _ld12tod __crtGetStringTypeA_stat 5117->5125 5118 5f1430 _NMSG_WRITE 3 API calls 5119 5f3e7d 5118->5119 5119->5109 5120->5125 5121 5f606f MultiByteToWideChar 5122 5f60a5 5121->5122 5123 5f6090 GetStringTypeW 5121->5123 5122->5124 5126 5f2a68 free 5 API calls 5122->5126 5123->5122 5124->5118 5125->5121 5125->5124 5126->5124 5129 5f5c24 MultiByteToWideChar 5127->5129 5130 5f5c8c 5129->5130 5136 5f5c93 5129->5136 5131 5f1430 _NMSG_WRITE 3 API calls 5130->5131 5133 5f3eb0 5131->5133 5132 5f5d18 MultiByteToWideChar 5134 5f5d3e 5132->5134 5135 5f5da3 5132->5135 5133->5102 5152 5f6a0c 5134->5152 5135->5130 5139 5f2a68 free 5 API calls 5135->5139 5138 5f5cce __crtGetStringTypeA_stat 5136->5138 5140 5f5448 malloc 32 API calls 5136->5140 5138->5130 5138->5132 5139->5130 5140->5138 5142 5f5d72 5142->5135 5143 5f6a0c __crtCompareStringEx LCMapStringW 5142->5143 5143->5135 5144 5f5da8 5146 5f5448 malloc 32 API calls 5144->5146 5149 5f5dd5 __crtGetStringTypeA_stat 5144->5149 5145 5f6a0c __crtCompareStringEx LCMapStringW 5147 5f5e44 5145->5147 5146->5149 5148 5f5e86 5147->5148 5150 5f5e7b WideCharToMultiByte 5147->5150 5148->5135 5151 5f2a68 free 5 API calls 5148->5151 5149->5135 5149->5145 5150->5148 5151->5135 5153 5f6a5e __crtDownlevelLocaleNameToLCID 5152->5153 5155 5f5d5c 5152->5155 5154 5f6a63 LCMapStringW 5153->5154 5154->5155 5155->5135 5155->5142 5155->5144 5157 5f5298 5156->5157 5158 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5157->5158 5159 5f52bc 5158->5159 5159->4760 5161 5f5333 5160->5161 5162 5f533d 5160->5162 5161->5162 5166 5f5359 5161->5166 5163 5f4a68 _errno 5 API calls 5162->5163 5168 5f5345 5163->5168 5164 5f46b8 _invalid_parameter_noinfo 8 API calls 5165 5f5351 5164->5165 5165->4479 5166->5165 5167 5f4a68 _errno 5 API calls 5166->5167 5167->5168 5168->5164 5170 5f4d2b EncodePointer 5169->5170 5170->5170 5171 5f4d46 5170->5171 5171->4486 5175 5f4bf4 5172->5175 5176 5f20f8 5175->5176 5177 5f4c15 DecodePointer DecodePointer 5176->5177 5178 5f4c3f 5177->5178 5179 5f4cda 5177->5179 5178->5179 5190 5f68ac 5178->5190 5202 5f2104 5179->5202 5184 5f4cb8 EncodePointer EncodePointer 5184->5179 5186 5f4c7f 5186->5179 5187 5f4ca0 EncodePointer 5186->5187 5188 5f3354 _realloc_crt 34 API calls 5186->5188 5187->5184 5189 5f4c9b 5188->5189 5189->5179 5189->5187 5191 5f68ce HeapSize 5190->5191 5192 5f68b5 5190->5192 5193 5f4a68 _errno 5 API calls 5192->5193 5194 5f68ba 5193->5194 5195 5f46b8 _invalid_parameter_noinfo 8 API calls 5194->5195 5196 5f4c5b 5195->5196 5196->5184 5196->5186 5197 5f3354 5196->5197 5199 5f3379 5197->5199 5200 5f33b7 5199->5200 5201 5f3399 Sleep 5199->5201 5204 5f5500 5199->5204 5200->5186 5201->5199 5201->5200 5203 5f3824 LeaveCriticalSection 5202->5203 5205 5f551a 5204->5205 5206 5f5524 5204->5206 5207 5f5448 malloc 32 API calls 5205->5207 5208 5f5529 5206->5208 5215 5f5530 5206->5215 5221 5f5522 free __crtMessageBoxW 5207->5221 5209 5f2a68 free 5 API calls 5208->5209 5209->5221 5210 5f5579 5212 5f4d94 _callnewh DecodePointer 5210->5212 5211 5f5536 HeapReAlloc 5211->5215 5211->5221 5213 5f5581 5212->5213 5216 5f4a68 _errno 5 API calls 5213->5216 5214 5f55b7 5218 5f4a68 _errno 5 API calls 5214->5218 5215->5210 5215->5211 5215->5214 5217 5f4d94 _callnewh DecodePointer 5215->5217 5219 5f559e 5215->5219 5216->5221 5217->5215 5218->5221 5220 5f4a68 _errno 5 API calls 5219->5220 5220->5221 5221->5199 5223 5f1a19 5222->5223 5243 5f1b38 5222->5243 5224 5f1a34 5223->5224 5225 5f2a68 free 5 API calls 5223->5225 5226 5f2a68 free 5 API calls 5224->5226 5227 5f1a42 5224->5227 5225->5224 5226->5227 5228 5f1a50 5227->5228 5229 5f2a68 free 5 API calls 5227->5229 5230 5f1a5e 5228->5230 5232 5f2a68 free 5 API calls 5228->5232 5229->5228 5231 5f1a6c 5230->5231 5233 5f2a68 free 5 API calls 5230->5233 5234 5f1a7a 5231->5234 5235 5f2a68 free 5 API calls 5231->5235 5232->5230 5233->5231 5236 5f1a8b 5234->5236 5237 5f2a68 free 5 API calls 5234->5237 5235->5234 5238 5f2a68 free 5 API calls 5236->5238 5239 5f1aa3 5236->5239 5237->5236 5238->5239 5240 5f2a68 free 5 API calls 5239->5240 5244 5f1adc _updatetlocinfoEx_nolock 5239->5244 5240->5244 5241 5f1b25 5242 5f2a68 free 5 API calls 5241->5242 5242->5243 5243->4522 5244->5241 5245 5f38c8 __freetlocinfo 5 API calls 5244->5245 5245->5241 5246->4396 5247->4398 5249 5f12f2 5248->5249 5250 5f13e3 _NMSG_WRITE 5248->5250 5249->4401 5250->5249 5251 5f140e CloseHandle 5250->5251 5251->5249 5253 5fc02f 5252->5253 5721 5f1830 5722 5f1ba4 _getptd_noexit 5 API calls 5721->5722 5723 5f184e 5722->5723 5784 5fbe90 LeaveCriticalSection 5795 5f4bb0 5796 5f3258 _ioinit 5 API calls 5795->5796 5797 5f4bc3 EncodePointer 5796->5797 5798 5f4be2 5797->5798 5799 5fbdb0 5800 5fbdc0 5799->5800 5802 5fbdce 5799->5802 5801 5f1d6c _mtterm 8 API calls 5800->5801 5800->5802 5801->5802 5534 5f136f 5535 5f1430 _NMSG_WRITE 3 API calls 5534->5535 5536 5f137f 5535->5536 5724 5f842c 5725 5f8456 5724->5725 5732 5f8460 5724->5732 5726 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5725->5726 5725->5732 5727 5f8493 5726->5727 5727->5732 5736 5f830c 5727->5736 5730 5f84cc 5733 5f850c 5730->5733 5734 5f84e2 MultiByteToWideChar 5730->5734 5731 5f8526 MultiByteToWideChar 5731->5732 5731->5733 5733->5732 5735 5f4a68 _errno 5 API calls 5733->5735 5734->5732 5734->5733 5735->5732 5737 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5736->5737 5738 5f831e 5737->5738 5738->5730 5738->5731 5530 5f3448 5531 5f355c 5530->5531 5533 5f3485 _IsNonwritableInCurrentImage __C_specific_handler 5530->5533 5532 5f3527 RtlUnwindEx 5532->5533 5533->5531 5533->5532 5537 5f7364 5538 5f737a 5537->5538 5539 5f7394 5537->5539 5540 5f3b7c _updatetlocinfoEx_nolock 5 API calls 5538->5540 5540->5539 5541 5f9e04 5544 5f9e28 5541->5544 5545 5f9e3b 5544->5545 5546 5f9e85 5544->5546 5547 5f9e57 5545->5547 5548 5f9e41 5545->5548 5600 5fa454 5546->5600 5551 5f9e7e 5547->5551 5552 5f9e77 5547->5552 5556 5fa6b0 5548->5556 5587 5f9ea8 5551->5587 5570 5fa784 5552->5570 5553 5f9e23 5614 5fb130 5556->5614 5559 5fa6f0 5561 5f4a68 _errno 5 API calls 5559->5561 5560 5fa705 5626 5faf94 5560->5626 5562 5fa6f5 5561->5562 5563 5f46b8 _invalid_parameter_noinfo 8 API calls 5562->5563 5566 5fa6fc 5563->5566 5565 5fa73d 5565->5566 5635 5fa54c 5565->5635 5568 5f1430 _NMSG_WRITE 3 API calls 5566->5568 5569 5fa778 5568->5569 5569->5553 5571 5fb130 _fltout2 13 API calls 5570->5571 5572 5fa7c4 5571->5572 5573 5fa7c9 5572->5573 5575 5fa7e1 5572->5575 5574 5f4a68 _errno 5 API calls 5573->5574 5576 5fa7ce 5574->5576 5577 5faf94 _fptostr 13 API calls 5575->5577 5578 5f46b8 _invalid_parameter_noinfo 8 API calls 5576->5578 5579 5fa816 5577->5579 5580 5fa7d5 5578->5580 5579->5580 5581 5fa86b 5579->5581 5583 5fa834 5579->5583 5582 5f1430 _NMSG_WRITE 3 API calls 5580->5582 5671 5fa258 5581->5671 5585 5fa8aa 5582->5585 5586 5fa54c _cftof2_l 38 API calls 5583->5586 5585->5553 5586->5580 5588 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5587->5588 5589 5f9ef1 5588->5589 5590 5f9eff 5589->5590 5592 5f9f10 5589->5592 5591 5f4a68 _errno 5 API calls 5590->5591 5593 5f9f04 5591->5593 5594 5f9f1e 5592->5594 5595 5f9f37 5592->5595 5598 5f46b8 _invalid_parameter_noinfo 8 API calls 5593->5598 5596 5f4a68 _errno 5 API calls 5594->5596 5597 5fa454 _cftoe_l 38 API calls 5595->5597 5599 5f9f2f _ld12tod strrchr 5595->5599 5596->5593 5597->5599 5598->5599 5599->5553 5601 5fb130 _fltout2 13 API calls 5600->5601 5602 5fa492 5601->5602 5603 5fa497 5602->5603 5604 5fa4af 5602->5604 5605 5f4a68 _errno 5 API calls 5603->5605 5607 5faf94 _fptostr 13 API calls 5604->5607 5606 5fa49c 5605->5606 5608 5f46b8 _invalid_parameter_noinfo 8 API calls 5606->5608 5610 5fa4f7 5607->5610 5609 5fa4a3 5608->5609 5612 5f1430 _NMSG_WRITE 3 API calls 5609->5612 5610->5609 5611 5fa258 _cftoe2_l 38 API calls 5610->5611 5611->5609 5613 5fa53f 5612->5613 5613->5553 5615 5fb169 __dtold 5614->5615 5642 5fb2c4 5615->5642 5618 5f5328 _fltout2 13 API calls 5619 5fb1ae 5618->5619 5620 5fb1b2 5619->5620 5621 5fb1d1 5619->5621 5622 5f1430 _NMSG_WRITE 3 API calls 5620->5622 5623 5f46d8 _invoke_watson 7 API calls 5621->5623 5624 5fa6eb 5622->5624 5625 5fb1e6 5623->5625 5624->5559 5624->5560 5627 5fafad 5626->5627 5628 5fafc5 5626->5628 5630 5f4a68 _errno 5 API calls 5627->5630 5628->5627 5629 5fafca 5628->5629 5632 5f4a68 _errno 5 API calls 5629->5632 5634 5fafbe _NMSG_WRITE _fptostr 5629->5634 5631 5fafb2 5630->5631 5633 5f46b8 _invalid_parameter_noinfo 8 API calls 5631->5633 5632->5631 5633->5634 5634->5565 5636 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5635->5636 5637 5fa585 5636->5637 5638 5f4a68 _errno 5 API calls 5637->5638 5641 5fa5a0 _ld12tod _NMSG_WRITE _fptostr 5637->5641 5639 5fa594 5638->5639 5640 5f46b8 _invalid_parameter_noinfo 8 API calls 5639->5640 5640->5641 5641->5566 5643 5fb34a 5642->5643 5644 5fb3cd 5643->5644 5645 5fb3ab 5643->5645 5669 5fb359 5643->5669 5648 5fb3fd 5644->5648 5651 5fb3db 5644->5651 5647 5f5328 _fltout2 13 API calls 5645->5647 5646 5f1430 _NMSG_WRITE 3 API calls 5650 5fb18f 5646->5650 5647->5669 5649 5fb42d 5648->5649 5653 5fb407 5648->5653 5654 5f5328 _fltout2 13 API calls 5649->5654 5650->5618 5651->5649 5652 5fb3e0 5651->5652 5656 5f5328 _fltout2 13 API calls 5652->5656 5657 5f5328 _fltout2 13 API calls 5653->5657 5658 5fb442 5654->5658 5655 5fb3c8 5659 5f46d8 _invoke_watson 7 API calls 5655->5659 5660 5fb3f4 5656->5660 5661 5fb41b 5657->5661 5662 5fbd86 5658->5662 5670 5fb36b 5658->5670 5663 5fb3f8 5659->5663 5660->5663 5660->5670 5664 5fbd71 5661->5664 5661->5670 5665 5f46d8 _invoke_watson 7 API calls 5662->5665 5668 5f46d8 _invoke_watson 7 API calls 5663->5668 5666 5f46d8 _invoke_watson 7 API calls 5664->5666 5667 5fbd9b 5665->5667 5666->5662 5668->5664 5669->5655 5669->5670 5670->5646 5672 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5671->5672 5673 5fa292 5672->5673 5674 5fa29c 5673->5674 5675 5fa2a8 5673->5675 5676 5f4a68 _errno 5 API calls 5674->5676 5678 5fa2b9 5675->5678 5681 5fa2cf _NMSG_WRITE _fptostr 5675->5681 5677 5fa2a1 5676->5677 5680 5f46b8 _invalid_parameter_noinfo 8 API calls 5677->5680 5679 5f4a68 _errno 5 API calls 5678->5679 5679->5677 5686 5fa2ca _fptostr 5680->5686 5682 5f5328 _fltout2 13 API calls 5681->5682 5683 5fa375 5682->5683 5684 5f46d8 _invoke_watson 7 API calls 5683->5684 5683->5686 5685 5fa450 5684->5685 5687 5fb130 _fltout2 13 API calls 5685->5687 5686->5580 5688 5fa492 5687->5688 5689 5fa497 5688->5689 5690 5fa4af 5688->5690 5691 5f4a68 _errno 5 API calls 5689->5691 5693 5faf94 _fptostr 13 API calls 5690->5693 5692 5fa49c 5691->5692 5694 5f46b8 _invalid_parameter_noinfo 8 API calls 5692->5694 5695 5fa4f7 5693->5695 5696 5fa4a3 5694->5696 5695->5696 5697 5fa258 _cftoe2_l 38 API calls 5695->5697 5698 5f1430 _NMSG_WRITE 3 API calls 5696->5698 5697->5696 5699 5fa53f 5698->5699 5699->5580 5762 5f50c4 5763 5f50df 5762->5763 5764 5f3258 _ioinit 5 API calls 5763->5764 5765 5f50fe 5764->5765 5766 5f511b 5765->5766 5767 5f3258 _ioinit 5 API calls 5765->5767 5767->5766 5785 1400177c0 5788 140017d04 5785->5788 5789 140017d27 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 5788->5789 5790 1400177c9 5788->5790 5789->5790 5700 5f3700 5701 5f371d 5700->5701 5702 5f3736 5700->5702 5703 5f4714 _FF_MSGBANNER 30 API calls 5701->5703 5705 5f32d8 _malloc_crt 33 API calls 5702->5705 5717 5f3747 _mtinitlocknum 5702->5717 5704 5f3722 5703->5704 5706 5f4788 _NMSG_WRITE 30 API calls 5704->5706 5707 5f3758 5705->5707 5708 5f372c 5706->5708 5709 5f376f 5707->5709 5710 5f3760 5707->5710 5712 5f1dd4 malloc ExitProcess 5708->5712 5713 5f3797 5709->5713 5714 5f3784 5709->5714 5711 5f4a68 _errno 5 API calls 5710->5711 5711->5717 5712->5702 5716 5f2a68 free 5 API calls 5713->5716 5715 5f2d9c _ioinit InitializeCriticalSectionAndSpinCount 5714->5715 5715->5717 5716->5717 5803 5fa9a0 5804 5fa9a8 5803->5804 5805 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5804->5805 5807 5fa9bb 5805->5807 5808 5fa9d7 5807->5808 5809 5fac60 5807->5809 5810 5fac82 5809->5810 5813 5fac72 5809->5813 5811 5f3c08 _LocaleUpdate::_LocaleUpdate 38 API calls 5810->5811 5812 5fac8e 5811->5812 5812->5813 5814 5fb1e8 _isctype_l 43 API calls 5812->5814 5813->5807 5814->5813

                                                                                              Executed Functions

                                                                                              Function 005F1070 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 147stringsleepCOMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                                • Part of subcall function 005F1000: FindResourceA.KERNEL32 ref: 005F102D
                                                                                                • Part of subcall function 005F1000: SizeofResource.KERNEL32 ref: 005F103F
                                                                                                • Part of subcall function 005F1000: LoadResource.KERNEL32 ref: 005F1050
                                                                                              • GetTempPathW.KERNEL32 ref: 005F1245
                                                                                              • lstrcatW.KERNEL32 ref: 005F125B
                                                                                              • lstrcatW.KERNEL32 ref: 005F1271
                                                                                              • lstrcatW.KERNEL32 ref: 005F1287
                                                                                              • lstrcatW.KERNEL32 ref: 005F129A
                                                                                              • lstrcatW.KERNEL32 ref: 005F12AD
                                                                                              • lstrcatW.KERNEL32 ref: 005F12C2
                                                                                              • lstrcatW.KERNEL32 ref: 005F12D5
                                                                                                • Part of subcall function 005F1390: CreateFileW.KERNEL32 ref: 005F13CC
                                                                                                • Part of subcall function 005F1390: WriteFile.KERNEL32 ref: 005F1400
                                                                                              • ShellExecuteW.SHELL32 ref: 005F132B
                                                                                              • Sleep.KERNEL32 ref: 005F1336
                                                                                              • ShellExecuteW.SHELL32 ref: 005F135C
                                                                                              • ExitProcess.KERNEL32 ref: 005F1364
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1686198039.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5f0000_TMSSetup.jbxd
                                                                                              Similarity
                                                                                              • API ID: lstrcat$Resource$ExecuteFileShell$CreateExitFindLoadPathProcessSizeofSleepTempWrite
                                                                                              • String ID: CleanUp.dll$\MSTeamsSetup_c_l_.exe
                                                                                              • API String ID: 1147435019-1228140222
                                                                                              • Opcode ID: 80b1d980afd2e131ed01df0148c29fe3679a5fadee64eea29e2dccfc64e2f084
                                                                                              • Instruction ID: 33e23ccfbc607c3a248ac453157b3e2730e779cc924fc74abb63e56a46f477bc
                                                                                              • Opcode Fuzzy Hash: 80b1d980afd2e131ed01df0148c29fe3679a5fadee64eea29e2dccfc64e2f084
                                                                                              • Instruction Fuzzy Hash: 83711C26218AC5C6E720CF64E85439FB762FB98785F405136E28987BA8EF7DC509CF44
                                                                                              Function 005F1390 Relevance: 4.5, APIs: 3, Instructions: 32fileCOMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 11 5f1390-5f13dd CreateFileW 12 5f13df-5f13e1 11->12 13 5f13e3-5f1408 call 5fc018 11->13 14 5f141b-5f141f 12->14 17 5f140e-5f1419 CloseHandle 13->17 18 5f140a-5f140c 13->18 17->14 18->14
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1686198039.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5f0000_TMSSetup.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$CreateWrite
                                                                                              • String ID:
                                                                                              • API String ID: 2263783195-0
                                                                                              • Opcode ID: 81306676aa4f7f5ded7acd79df79a841f177d916180adf629023c7257710c000
                                                                                              • Instruction ID: 9dc723d846fab23504a740aef55870da342f863a005e4cf93faace7dd1d9b92d
                                                                                              • Opcode Fuzzy Hash: 81306676aa4f7f5ded7acd79df79a841f177d916180adf629023c7257710c000
                                                                                              • Instruction Fuzzy Hash: 3201C572118A44C2DB20CF25E84872BBB74F3857A4F601624EA9943AA8CF3DC55A9F44

                                                                                              Non-executed Functions

                                                                                              Function 005F1000 Relevance: 4.5, APIs: 3, Instructions: 25COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 218 5f1000-5f106f FindResourceA SizeofResource LoadResource
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1686198039.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5f0000_TMSSetup.jbxd
                                                                                              Similarity
                                                                                              • API ID: Resource$FindLoadSizeof
                                                                                              • String ID:
                                                                                              • API String ID: 507330600-0
                                                                                              • Opcode ID: df525f0ad103e5ee2291d149a3f11b715ea941bd0bb49f6407f5966d909aa2c2
                                                                                              • Instruction ID: d66b100242802f0304c40427e396997b3484afad6d0db66bc2b0a25a6ade84a5
                                                                                              • Opcode Fuzzy Hash: df525f0ad103e5ee2291d149a3f11b715ea941bd0bb49f6407f5966d909aa2c2
                                                                                              • Instruction Fuzzy Hash: 6DF0B2B6618B4486C7248F25E45471FBBA0F7887A5F404629EACA42B58DB3DC1498F00
                                                                                              Function 005FC140 Relevance: .0, Instructions: 3COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1686198039.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5f0000_TMSSetup.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: aaf859dcf50bc12e6187ac976ab75f3b24ad89be81b2ca3f4c43cee4f73ee478
                                                                                              • Instruction ID: 2b42e078f9ee77bb17fe2c7ede6fcfd640a062482dfa51cea1adcc73fc487c25
                                                                                              • Opcode Fuzzy Hash: aaf859dcf50bc12e6187ac976ab75f3b24ad89be81b2ca3f4c43cee4f73ee478
                                                                                              • Instruction Fuzzy Hash:
                                                                                              Function 005F1DEC Relevance: 18.1, APIs: 12, Instructions: 73COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 19 5f1dec-5f1e10 DecodePointer 20 5f1e2c-5f1e46 call 5f2a68 19->20 21 5f1e12-5f1e18 19->21 27 5f1e48-5f1e4e 20->27 28 5f1e62-5f1ea1 call 5f2a68 * 3 20->28 23 5f1e1a-5f1e23 call 5f2a68 21->23 24 5f1e25 21->24 23->21 23->24 24->20 30 5f1e5b 27->30 31 5f1e50-5f1e59 call 5f2a68 27->31 40 5f1eb5-5f1ecf EncodePointer 28->40 41 5f1ea3-5f1eab 28->41 30->28 31->27 31->30 43 5f1ede-5f1ee8 40->43 44 5f1ed1-5f1ed6 call 5f2a68 40->44 41->40 42 5f1ead-5f1eb0 call 5f2a68 41->42 42->40 47 5f1eea-5f1eef call 5f2a68 43->47 48 5f1ef7-5f1f06 43->48 44->43 47->48 51 5f1f08-5f1f19 48->51 52 5f1f27-5f1f31 48->52 51->52 54 5f1f1b-5f1f20 call 5f2a68 51->54 54->52
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1686198039.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5f0000_TMSSetup.jbxd
                                                                                              Similarity
                                                                                              • API ID: free$Pointer$DecodeEncodeErrorFreeHeapLast_errno
                                                                                              • String ID:
                                                                                              • API String ID: 4099253644-0
                                                                                              • Opcode ID: f4feac3edb6ebcca3e8f2b1eb2c4c9ae7ebef9b3e4572afd8ec12a80d1b8d9d9
                                                                                              • Instruction ID: 288e6fcf28287328c7dd0043383654582d76479d7ad4c06928bad0b89c420b4d
                                                                                              • Opcode Fuzzy Hash: f4feac3edb6ebcca3e8f2b1eb2c4c9ae7ebef9b3e4572afd8ec12a80d1b8d9d9
                                                                                              • Instruction Fuzzy Hash: BB3180A6681E4AC5FE24EF11F86433A3F69BB95B94F484224DF1A0A751CF7EC464C314
                                                                                              Function 005F2110 Relevance: 12.1, APIs: 8, Instructions: 101COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1686198039.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5f0000_TMSSetup.jbxd
                                                                                              Similarity
                                                                                              • API ID: Pointer$Decode$Encode$ExitProcess
                                                                                              • String ID:
                                                                                              • API String ID: 3597827916-0
                                                                                              • Opcode ID: 9a6943dbf199bf36ede53401e1f6156218a893ebade371515995f1f640cb2949
                                                                                              • Instruction ID: b5b24b3d1fdb62e90bbd9f78eb06983a1b5e26f0dae3ce74a68198d9fe3b38c2
                                                                                              • Opcode Fuzzy Hash: 9a6943dbf199bf36ede53401e1f6156218a893ebade371515995f1f640cb2949
                                                                                              • Instruction Fuzzy Hash: CB417F75206A4A81EB109F21FD4473A7AA6F788BD8F440039AB8E47B64DF3DC469CB04
                                                                                              Function 005F842C Relevance: 7.6, APIs: 5, Instructions: 93COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 86 5f842c-5f8454 87 5f8469 86->87 88 5f8456-5f8459 86->88 90 5f846b-5f8485 87->90 88->87 89 5f845b-5f845e 88->89 91 5f8486-5f849f call 5f3c08 89->91 92 5f8460-5f8463 89->92 96 5f84b6-5f84ca call 5f830c 91->96 97 5f84a1-5f84a4 91->97 92->87 93 5f8465 92->93 93->87 103 5f84cc-5f84db 96->103 104 5f8526-5f8553 MultiByteToWideChar 96->104 99 5f84ac-5f84b1 97->99 100 5f84a6-5f84a9 97->100 102 5f8563-5f8568 99->102 100->99 105 5f856a-5f856f 102->105 106 5f8576-5f8578 102->106 107 5f84dd-5f84e0 103->107 108 5f850c-5f8516 103->108 104->102 109 5f8555-5f855d call 5f4a68 104->109 105->106 106->90 107->108 110 5f84e2-5f850a MultiByteToWideChar 107->110 108->109 111 5f8518-5f851c 108->111 109->102 110->108 113 5f851e-5f8524 110->113 111->109 111->113 113->102
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1686198039.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5f0000_TMSSetup.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::__errno_isleadbyte_l
                                                                                              • String ID:
                                                                                              • API String ID: 2998201375-0
                                                                                              • Opcode ID: 71a23b5935c012140a1eb48c045677d1a8009f2167aa5e0da77b886a72112d3b
                                                                                              • Instruction ID: 4263afb637b659fced6227b03a4762a3147a2488ede4e584fc31d52944231edf
                                                                                              • Opcode Fuzzy Hash: 71a23b5935c012140a1eb48c045677d1a8009f2167aa5e0da77b886a72112d3b
                                                                                              • Instruction Fuzzy Hash: 3B317C722147858BDB208F15E584779BFA5FB85F98F188126EB8997B69DF3CC8418B00
                                                                                              Function 005F1D90 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 115 5f1d90-5f1dae call 5fc0a0 118 5f1dcb-5f1dd0 115->118 119 5f1db0-5f1dc5 call 5fc0a8 115->119 119->118 122 5f1dc7 119->122 122->118
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000000.00000002.1686198039.00000000005F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005F0000, based on PE: true
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_0_2_5f0000_TMSSetup.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                              • API String ID: 1646373207-1276376045
                                                                                              • Opcode ID: a624fdb2091a418342662ab452048541ba47e4862a7cf804d1c07e801a55bada
                                                                                              • Instruction ID: 566af99ba841bdd7c131c1c5d025f18de3f2865bd2a4e0e6a4a9b761877e15cd
                                                                                              • Opcode Fuzzy Hash: a624fdb2091a418342662ab452048541ba47e4862a7cf804d1c07e801a55bada
                                                                                              • Instruction Fuzzy Hash: 60E08660311E0FC1EF145B60EC8477A1B70AB44781F44583A950B46364DF2CC58ECB00

                                                                                              Execution Graph

                                                                                              Execution Coverage:1.6%
                                                                                              Dynamic/Decrypted Code Coverage:0%
                                                                                              Signature Coverage:14.4%
                                                                                              Total number of Nodes:388
                                                                                              Total number of Limit Nodes:9
                                                                                              execution_graph 24423 304392 24424 30439e CallCatchBlock 24423->24424 24453 3040a5 24424->24453 24426 3044f8 24534 304760 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 24426->24534 24428 3043a5 24428->24426 24430 3043cf 24428->24430 24429 3044ff 24526 310e2d 24429->24526 24442 30440e ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 24430->24442 24464 311bd0 24430->24464 24437 3043ee 24439 30446f 24468 30487a 24439->24468 24441 304475 24472 2fe7e8 24441->24472 24442->24439 24530 30bf47 38 API calls 4 library calls 24442->24530 24447 304491 24447->24429 24448 304495 24447->24448 24449 30449e 24448->24449 24532 310dd0 28 API calls _Atexit 24448->24532 24533 304234 13 API calls 2 library calls 24449->24533 24452 3044a6 24452->24437 24454 3040ae 24453->24454 24536 304949 IsProcessorFeaturePresent 24454->24536 24456 3040ba 24537 3072e1 10 API calls 3 library calls 24456->24537 24458 3040bf 24463 3040c3 24458->24463 24538 311a67 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 24458->24538 24460 3040cc 24461 3040da 24460->24461 24539 30730a 8 API calls 3 library calls 24460->24539 24461->24428 24463->24428 24465 311be7 24464->24465 24540 303a95 24465->24540 24467 3043e8 24467->24437 24529 311b74 5 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 24467->24529 24548 306120 24468->24548 24470 30488d GetStartupInfoW 24471 3048a0 24470->24471 24471->24441 24473 2fe7f8 __wsopen_s 24472->24473 24550 2f25fe 24473->24550 24476 2fe83b GetProcAddress 24478 2fe84d 24476->24478 24480 2fe88b 24478->24480 24481 2fe8e0 CoInitialize InitCommonControlsEx 24478->24481 24479 2feb2c CoUninitialize 24482 2feb3e 24479->24482 24775 2f248f 145 API calls 3 library calls 24480->24775 24560 2fed30 24481->24560 24488 303a95 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 24482->24488 24484 2feaec std::ios_base::_Tidy 24484->24479 24486 2fe913 24565 2f6487 GetCurrentProcess OpenProcessToken 24486->24565 24487 2fe894 24490 2fe8a6 lstrlenW 24487->24490 24491 2fe8c0 lstrlenW 24487->24491 24525 2fe831 24487->24525 24492 2feb51 24488->24492 24493 2fee39 27 API calls 24490->24493 24494 2fee39 27 API calls 24491->24494 24531 3048b0 GetModuleHandleW 24492->24531 24493->24491 24495 2fe8da 24494->24495 24495->24481 24497 2f25fe 32 API calls 24505 2fe95e 24497->24505 24498 2fe9a1 MessageBoxW 24508 2fe918 24498->24508 24502 2fea38 24504 2feab3 24502->24504 24507 2fea43 GetModuleHandleW GetModuleFileNameW lstrlenW 24502->24507 24509 2fecd5 30 API calls 24504->24509 24505->24497 24505->24508 24510 2fe9d5 24505->24510 24505->24525 24776 2f63d0 10 API calls 2 library calls 24505->24776 24778 2f136f 111 API calls 5 library calls 24505->24778 24587 2fee39 24507->24587 24508->24498 24508->24502 24508->24505 24573 2f23b6 24508->24573 24578 2f1220 24508->24578 24777 2f9d9d 128 API calls 5 library calls 24508->24777 24781 2fa52f 36 API calls _memcmp 24508->24781 24512 2feac3 24509->24512 24513 2fe9fe 24510->24513 24514 2fe9d9 24510->24514 24782 2f6982 186 API calls 7 library calls 24512->24782 24780 2f9d9d 128 API calls 5 library calls 24513->24780 24518 2f25fe 32 API calls 24514->24518 24515 2fea78 24594 2fecd5 24515->24594 24519 2fe9e7 24518->24519 24779 2f63d0 10 API calls 2 library calls 24519->24779 24523 2fe9f0 24523->24525 24768 2feb6e EnterCriticalSection 24525->24768 24899 310baa 24526->24899 24529->24442 24530->24439 24531->24447 24532->24449 24533->24452 24534->24429 24536->24456 24537->24458 24538->24460 24539->24463 24541 303aa0 IsProcessorFeaturePresent 24540->24541 24542 303a9e 24540->24542 24544 303b18 24541->24544 24542->24467 24547 303adc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 24544->24547 24546 303bfb 24546->24467 24547->24546 24549 306137 24548->24549 24549->24470 24549->24549 24551 2f2613 24550->24551 24557 2f2626 LoadLibraryW 24550->24557 24552 2f261d 24551->24552 24553 2f2628 lstrlenW 24551->24553 24783 2f1fe8 31 API calls 3 library calls 24552->24783 24554 2f2636 24553->24554 24553->24557 24784 2f1e40 8 API calls 2 library calls 24554->24784 24557->24476 24557->24525 24558 2f263e 24558->24557 24785 2f1f15 27 API calls 4 library calls 24558->24785 24562 2fed3c __EH_prolog3_catch 24560->24562 24561 2fed72 GetCurrentThreadId 24786 303d40 24561->24786 24562->24561 24564 2fed8d std::_Locinfo::_Locinfo 24564->24486 24566 2f64c9 GetTokenInformation 24565->24566 24567 2f64b3 GetLastError 24565->24567 24566->24567 24568 2f64e2 24566->24568 24567->24568 24569 2f64fa 24568->24569 24570 2f64f1 CloseHandle 24568->24570 24571 303a95 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 24569->24571 24570->24569 24572 2f6507 24571->24572 24572->24508 24574 306120 ___scrt_fastfail 24573->24574 24575 2f2400 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 24574->24575 24576 303a95 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 24575->24576 24577 2f246b 24576->24577 24577->24508 24795 2f2320 24578->24795 24581 2f1257 RegQueryValueExW 24584 2f1280 24581->24584 24805 2f2397 24584->24805 24585 303a95 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 24586 2f12ac 24585->24586 24586->24508 24588 2fee79 ctype 24587->24588 24589 2fee48 24587->24589 24588->24515 24590 2fee90 24589->24590 24592 2fee60 24589->24592 24810 2fedc5 27 API calls 24590->24810 24809 2f1f15 27 API calls 4 library calls 24592->24809 24595 2fecec 24594->24595 24599 2fea88 24594->24599 24811 2fec63 30 API calls 2 library calls 24595->24811 24597 2fed13 24812 2f1f15 27 API calls 4 library calls 24597->24812 24600 2f6777 24599->24600 24601 2f6786 __EH_prolog3_GS 24600->24601 24813 2f66d0 24601->24813 24603 2f6927 24827 30452f 24603->24827 24608 2f67fc 24609 2f9372 30 API calls 24608->24609 24610 2f6815 24609->24610 24611 2f9372 30 API calls 24610->24611 24612 2f6836 24611->24612 24613 2f6878 24612->24613 24617 2f6866 IUnknown_QueryInterface_Proxy 24612->24617 24614 2f6887 SysFreeString 24613->24614 24615 2f6965 SysAllocString 24613->24615 24621 2f68f6 VariantClear VariantClear VariantClear VariantClear 24614->24621 24622 2f68e6 24614->24622 24615->24614 24616 2f6977 24615->24616 24830 2f1ebd 27 API calls 5 library calls 24616->24830 24617->24613 24620 2f6981 __wsopen_s ___scrt_fastfail 24623 2f6b2f SHGetFolderPathW GetUserNameW GetLastError 24620->24623 24624 2f6a71 SHGetFolderPathW 24620->24624 24621->24603 24622->24621 24834 2f9321 51 API calls ___scrt_initialize_default_local_stdio_options 24623->24834 24626 2f6a83 24624->24626 24831 308d79 26 API calls 2 library calls 24626->24831 24627 2f6b85 CreateDirectoryW 24627->24626 24629 2f6b9e GetLastError 24627->24629 24629->24626 24636 2f6bac ___crtLCMapStringA 24629->24636 24630 2f6a95 CreateDirectoryW 24631 2f6aae GetLastError 24630->24631 24632 2f6cf6 24630->24632 24631->24632 24638 2f6abc ___crtLCMapStringA 24631->24638 24847 2f7c9c 51 API calls ___scrt_initialize_default_local_stdio_options 24632->24847 24634 2f6d0e FindResourceW 24635 2f6d37 LoadResource 24634->24635 24691 2f6b1b 24634->24691 24639 2f6d5b SizeofResource 24635->24639 24635->24691 24674 2f6bf6 24636->24674 24835 2f9321 51 API calls ___scrt_initialize_default_local_stdio_options 24636->24835 24638->24691 24832 2f9321 51 API calls ___scrt_initialize_default_local_stdio_options 24638->24832 24643 2f6d76 LockResource 24639->24643 24639->24691 24641 2f6c23 24840 2f9913 26 API calls ctype 24641->24840 24848 2f60b0 32 API calls 4 library calls 24643->24848 24644 2f6bd4 24645 2f6bdd 24644->24645 24646 2f6c03 24644->24646 24652 2f25fe 32 API calls 24645->24652 24837 2f7a90 41 API calls 2 library calls 24646->24837 24647 2f6c9c 24844 2f6982 186 API calls 7 library calls 24647->24844 24648 2f7365 24656 2f736b 24648->24656 24657 2f7395 24648->24657 24650 2f6ae8 24661 2f6c72 24650->24661 24662 2f6b02 24650->24662 24650->24691 24659 2f6be9 24652->24659 24655 2f6d88 24713 2f6d90 24655->24713 24849 2f569c 26 API calls 2 library calls 24655->24849 24664 2f25fe 32 API calls 24656->24664 24881 2f9d9d 128 API calls 5 library calls 24657->24881 24836 2f63d0 10 API calls 2 library calls 24659->24836 24660 2f6ca8 24845 2f9913 26 API calls ctype 24660->24845 24842 2f7a90 41 API calls 2 library calls 24661->24842 24667 2f25fe 32 API calls 24662->24667 24663 2f6c0a 24838 2f7c6a 81 API calls 24663->24838 24669 2f737b 24664->24669 24676 2f6b0e 24667->24676 24880 2f63d0 10 API calls 2 library calls 24669->24880 24673 2f6cba 24846 2f9913 26 API calls ctype 24673->24846 24839 2f9913 26 API calls ctype 24674->24839 24675 2f6c2e 24688 2f6c68 24675->24688 24841 2f9a1b 26 API calls 3 library calls 24675->24841 24833 2f63d0 10 API calls 2 library calls 24676->24833 24677 303a95 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 24687 2f743c 24677->24687 24681 2f6c79 24843 2f7c6a 81 API calls 24681->24843 24683 2f6ee4 24855 2f61ac CloseHandle std::ios_base::_Tidy 24683->24855 24684 2f73b6 24883 2f9913 26 API calls ctype 24684->24883 24687->24525 24688->24677 24689 2f7388 24882 2f9913 26 API calls ctype 24689->24882 24691->24647 24691->24648 24693 2f73ff 24693->24688 24695 2f7417 FreeResource 24693->24695 24695->24688 24696 2f6f03 FreeResource 24856 2f7c9c 51 API calls ___scrt_initialize_default_local_stdio_options 24696->24856 24700 2f6cc5 24700->24693 24884 2f9a1b 26 API calls 3 library calls 24700->24884 24701 2f6f3e GetFileAttributesW 24701->24691 24703 2f6f57 GetModuleHandleW GetModuleFileNameW 24701->24703 24702 2f6e3f DeleteFileW 24852 2f617b 39 API calls 24702->24852 24857 2f77b8 27 API calls 24703->24857 24706 2f6f83 24858 2f7a22 41 API calls __EH_prolog3_GS 24706->24858 24708 2f6f95 24859 2f9913 26 API calls ctype 24708->24859 24709 2f25fe 32 API calls 24709->24713 24713->24683 24713->24709 24850 2f56fa 32 API calls 4 library calls 24713->24850 24851 2f7c9c 51 API calls ___scrt_initialize_default_local_stdio_options 24713->24851 24853 2f9035 28 API calls 24713->24853 24854 2f7cd0 28 API calls __EH_prolog3_catch_GS 24713->24854 24714 2f6fb9 24715 2f701b 24714->24715 24860 2f7895 41 API calls BuildCatchObjectHelperInternal 24714->24860 24863 2f9913 26 API calls ctype 24715->24863 24718 2f702a 24864 2f7e25 5 API calls 2 library calls 24718->24864 24720 2f7053 24865 2f75a7 27 API calls 24720->24865 24722 2f6fcf 24861 2f7895 41 API calls BuildCatchObjectHelperInternal 24722->24861 24723 2f706a 24866 2f75f9 26 API calls 24723->24866 24726 2f7076 24867 2f9913 26 API calls ctype 24726->24867 24727 2f7010 24862 2f9913 26 API calls ctype 24727->24862 24730 2f7081 24868 2f7c9c 51 API calls ___scrt_initialize_default_local_stdio_options 24730->24868 24732 2f709f 24869 2f7c9c 51 API calls ___scrt_initialize_default_local_stdio_options 24732->24869 24734 2f70c7 PathFileExistsW 24735 2f70db CopyFileW 24734->24735 24749 2f711a 24734->24749 24736 2f25fe 32 API calls 24735->24736 24738 2f7102 24736->24738 24740 2f7115 24738->24740 24741 2f7123 24738->24741 24739 2f7160 FindFirstFileW 24742 2f717e GetLastError 24739->24742 24743 2f719d FindClose 24739->24743 24870 2f9035 28 API calls 24740->24870 24871 2f7cd0 28 API calls __EH_prolog3_catch_GS 24741->24871 24742->24743 24744 2f7189 24742->24744 24748 2f719b ___crtLCMapStringW 24743->24748 24873 2f7895 41 API calls BuildCatchObjectHelperInternal 24744->24873 24874 2f7c9c 51 API calls ___scrt_initialize_default_local_stdio_options 24748->24874 24872 2f7c9c 51 API calls ___scrt_initialize_default_local_stdio_options 24749->24872 24751 2f7211 CreateProcessW 24751->24691 24752 2f7244 WaitForSingleObject GetExitCodeProcess 24751->24752 24753 2f727c 24752->24753 24765 2f72a3 24752->24765 24756 2f7282 24753->24756 24757 2f72b0 24753->24757 24754 2f72cf DeleteFileW 24754->24754 24755 2f72ee CloseHandle CloseHandle 24754->24755 24877 2f9913 26 API calls ctype 24755->24877 24758 2f25fe 32 API calls 24756->24758 24876 2f9d9d 128 API calls 5 library calls 24757->24876 24761 2f7292 24758->24761 24875 2f63d0 10 API calls 2 library calls 24761->24875 24762 2f7317 24878 2f9913 26 API calls ctype 24762->24878 24765->24754 24765->24755 24766 2f7322 24766->24688 24879 2f9a1b 26 API calls 3 library calls 24766->24879 24769 2febcc LeaveCriticalSection 24768->24769 24770 2feb95 24768->24770 24896 2feb57 24769->24896 24772 2feb9a DestroyWindow 24770->24772 24774 2febaa std::ios_base::_Tidy 24770->24774 24772->24774 24774->24769 24775->24487 24776->24505 24777->24508 24778->24505 24779->24523 24780->24523 24781->24508 24782->24523 24783->24557 24784->24558 24785->24557 24787 303d45 ___crtLCMapStringA 24786->24787 24788 303d5f 24787->24788 24790 303d61 codecvt 24787->24790 24793 31096f 7 API calls 2 library calls 24787->24793 24788->24564 24794 3055ae RaiseException 24790->24794 24792 30475f 24793->24787 24794->24792 24796 2f2356 RegOpenKeyExW 24795->24796 24797 2f2344 24795->24797 24799 2f2368 24796->24799 24808 2f22b1 GetModuleHandleW GetProcAddress RegOpenKeyExW 24797->24808 24800 2f2375 24799->24800 24802 2f2397 RegCloseKey 24799->24802 24803 303a95 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 24800->24803 24801 2f2354 24801->24799 24802->24800 24804 2f1253 24803->24804 24804->24581 24804->24584 24806 2f129f 24805->24806 24807 2f23a0 RegCloseKey 24805->24807 24806->24585 24807->24806 24808->24801 24809->24588 24810->24588 24811->24597 24812->24599 24814 2f66dc __EH_prolog3_GS 24813->24814 24885 2f6509 24814->24885 24816 30452f 5 API calls 24818 2f6776 24816->24818 24817 2f6739 24817->24816 24818->24603 24821 2f9372 VariantClear 24818->24821 24820 2f6735 IUnknown_QueryInterface_Proxy 24820->24817 24822 2f939e 24821->24822 24823 2f9388 SysAllocString 24821->24823 24825 2f93b3 24822->24825 24895 2f1ebd 27 API calls 5 library calls 24822->24895 24823->24822 24823->24825 24825->24608 24826 2f93c0 VariantClear 24826->24608 24828 303a95 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 24827->24828 24829 30453a 24828->24829 24829->24829 24830->24620 24831->24630 24832->24650 24833->24691 24834->24627 24835->24644 24836->24674 24837->24663 24838->24674 24839->24641 24840->24675 24841->24688 24842->24681 24843->24691 24844->24660 24845->24673 24846->24700 24847->24634 24848->24655 24849->24713 24850->24713 24851->24702 24852->24713 24853->24713 24854->24713 24855->24696 24856->24701 24857->24706 24858->24708 24859->24714 24860->24722 24861->24727 24862->24715 24863->24718 24864->24720 24865->24723 24866->24726 24867->24730 24868->24732 24869->24734 24870->24749 24871->24749 24872->24739 24873->24748 24874->24751 24875->24765 24876->24765 24877->24762 24878->24766 24879->24688 24880->24689 24881->24689 24882->24684 24883->24700 24884->24693 24886 2f6515 __EH_prolog3_GS 24885->24886 24887 2f6536 VariantInit 24886->24887 24888 2f657d 24887->24888 24891 2f65b2 IUnknown_QueryInterface_Proxy 24888->24891 24894 2f65c1 VariantClear VariantClear 24888->24894 24890 2f66b8 24892 30452f 5 API calls 24890->24892 24891->24894 24893 2f66cf 24892->24893 24893->24817 24893->24820 24894->24890 24895->24826 24897 2feb6c 24896->24897 24898 2feb60 LeaveCriticalSection 24896->24898 24897->24484 24898->24897 24900 310bb6 CallUnexpected 24899->24900 24901 310bbd 24900->24901 24902 310bcf 24900->24902 24935 310d04 GetModuleHandleW 24901->24935 24923 30e8e1 EnterCriticalSection 24902->24923 24905 310bc2 24905->24902 24936 310d48 GetModuleHandleExW 24905->24936 24908 310bd6 24919 310c4b 24908->24919 24922 310c74 24908->24922 24944 3118c5 20 API calls _Atexit 24908->24944 24911 310c91 24927 310cc3 24911->24927 24912 310cbd 24947 323d69 5 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 24912->24947 24921 310c63 24919->24921 24945 311b74 5 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 24919->24945 24946 311b74 5 API calls __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 24921->24946 24924 310cb4 24922->24924 24923->24908 24948 30e931 LeaveCriticalSection 24924->24948 24926 310c8d 24926->24911 24926->24912 24949 3158b6 24927->24949 24930 310cf1 24933 310d48 _Atexit 8 API calls 24930->24933 24931 310cd1 GetPEB 24931->24930 24932 310ce1 GetCurrentProcess TerminateProcess 24931->24932 24932->24930 24934 310cf9 ExitProcess 24933->24934 24935->24905 24937 310d72 GetProcAddress 24936->24937 24938 310d95 24936->24938 24939 310d87 24937->24939 24940 310da4 24938->24940 24941 310d9b FreeLibrary 24938->24941 24939->24938 24942 303a95 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 24940->24942 24941->24940 24943 310bce 24942->24943 24943->24902 24944->24919 24945->24921 24946->24922 24948->24926 24950 3158d1 24949->24950 24951 3158db 24949->24951 24953 303a95 __ehhandler$?_Copy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@IAEXII@Z 5 API calls 24950->24953 24956 3150ac 5 API calls 2 library calls 24951->24956 24954 310ccd 24953->24954 24954->24930 24954->24931 24955 3158f2 24955->24950 24956->24955

                                                                                              Executed Functions

                                                                                              Function 002FE7E8 Relevance: 49.2, APIs: 11, Strings: 17, Instructions: 241libraryloaderCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 0 2fe7e8-2fe82f call 304cb0 call 2f25fe LoadLibraryW 5 2fe83b-2fe84b GetProcAddress 0->5 6 2fe831-2fe836 0->6 8 2fe84d-2fe85a 5->8 9 2fe85c-2fe889 call 2feec3 * 2 5->9 7 2feae7-2feaf4 call 2feb6e 6->7 15 2feb27-2feb39 call 2febe9 CoUninitialize call 2f215d 7->15 16 2feaf6-2feafa 7->16 8->9 26 2fe88b-2fe896 call 2f248f 9->26 27 2fe8e0-2fe951 CoInitialize InitCommonControlsEx call 2fed30 call 2f6487 call 2feec3 * 2 9->27 35 2feb3e-2feb54 call 303a95 15->35 19 2feafc-2feb05 call 30be05 16->19 20 2feb06-2feb0a 16->20 19->20 24 2feb0c-2feb18 call 30be05 20->24 25 2feb19-2feb26 call 303cd7 20->25 24->25 25->15 39 2fe89f-2fe8a4 26->39 40 2fe898-2fe89a 26->40 54 2fe953-2fe958 27->54 55 2fe992-2fe99b call 2f23b6 27->55 43 2fe8a6-2fe8bb lstrlenW call 2fee39 39->43 44 2fe8c0-2fe8dc lstrlenW call 2fee39 39->44 40->7 43->44 44->27 54->55 56 2fe95a-2fe95c 54->56 62 2fe9bf-2fe9c6 call 2f1220 55->62 63 2fe99d-2fe99f 55->63 58 2fe95e 56->58 59 2fe983 56->59 61 2fe963-2fe97e call 2f25fe call 2f63d0 call 2f215d 58->61 64 2fe988-2fe98d call 2f9d9d 59->64 61->59 74 2fe9c8-2fe9d3 call 2f136f 62->74 75 2fea13-2fea15 62->75 66 2fe9b8-2fe9bd 63->66 67 2fe9a1-2fe9ad MessageBoxW 63->67 64->55 66->64 67->66 89 2fea0d 74->89 90 2fe9d5-2fe9d7 74->90 77 2fea38-2fea3d 75->77 78 2fea17-2fea1e call 2fa52f 75->78 80 2fea3f-2fea41 77->80 81 2feab3-2feadb call 2fecd5 call 2f6982 77->81 78->77 92 2fea20-2fea22 78->92 80->81 85 2fea43-2fea91 GetModuleHandleW GetModuleFileNameW lstrlenW call 2fee39 call 2fecd5 call 2f6777 80->85 81->7 106 2feadd-2feae6 call 30be05 81->106 114 2fea96-2fea9e 85->114 89->40 89->75 94 2fe9fe-2fea08 call 2f9d9d 90->94 95 2fe9d9-2fe9f9 call 2f25fe call 2f63d0 call 2f215d 90->95 98 2fea2e-2fea33 92->98 99 2fea24-2fea29 92->99 94->7 95->7 98->64 99->61 106->7 114->40 116 2feaa4-2feaae call 30be05 114->116 116->40
                                                                                              APIs
                                                                                              • LoadLibraryW.KERNEL32(kernel32.dll,?), ref: 002FE827
                                                                                              • GetProcAddress.KERNEL32(00000000,SetDefaultDllDirectories), ref: 002FE841
                                                                                              • CoUninitialize.OLE32(?), ref: 002FEB2C
                                                                                              Strings
                                                                                              • --checkInstall, xrefs: 002FE876
                                                                                              • --silent, xrefs: 002FE8C0, 002FE8C5, 002FE8CC
                                                                                              • Please re-run this installer as a normal user instead of "Run as Administrator"., xrefs: 002FE95E
                                                                                              • ERROR: please re-run this installer as a normal user instead of "Run as Administrator"., xrefs: 002FE983
                                                                                              • This program cannot run on Windows XP or before; it requires a later version of Windows., xrefs: 002FE9A7
                                                                                              • Failed to install the .NET Framework, try installing .NET 4.5 or higher manually, xrefs: 002FE9D9
                                                                                              • Incompatible Operating System, xrefs: 002FE9A2
                                                                                              • --allUsers, xrefs: 002FE93B
                                                                                              • ERROR: failed to install the .NET Framework, try installing .NET 4.5 or higher manually, xrefs: 002FE9FE
                                                                                              • kernel32.dll, xrefs: 002FE822
                                                                                              • --msiOverride, xrefs: 002FE8A6, 002FE8AB, 002FE8B2
                                                                                              • --rerunningWithoutUAC, xrefs: 002FE923
                                                                                              • ERROR: this program cannot run on Windows XP or before; it requires a later version of Windows., xrefs: 002FE9B8
                                                                                              • ERROR: cannot install for all users when a VDI environment is not detected., xrefs: 002FEA2E
                                                                                              • --rerunningWithoutUAC, xrefs: 002FEA5E, 002FEA63, 002FEA6A
                                                                                              • SetDefaultDllDirectories, xrefs: 002FE83B
                                                                                              • Cannot install for all users when a VDI environment is not detected., xrefs: 002FEA24
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressLibraryLoadProcUninitialize
                                                                                              • String ID: --msiOverride$ --rerunningWithoutUAC$ --silent$--allUsers$--checkInstall$--rerunningWithoutUAC$Cannot install for all users when a VDI environment is not detected.$ERROR: cannot install for all users when a VDI environment is not detected.$ERROR: failed to install the .NET Framework, try installing .NET 4.5 or higher manually$ERROR: please re-run this installer as a normal user instead of "Run as Administrator".$ERROR: this program cannot run on Windows XP or before; it requires a later version of Windows.$Failed to install the .NET Framework, try installing .NET 4.5 or higher manually$Incompatible Operating System$Please re-run this installer as a normal user instead of "Run as Administrator".$SetDefaultDllDirectories$This program cannot run on Windows XP or before; it requires a later version of Windows.$kernel32.dll
                                                                                              • API String ID: 597072948-4182713384
                                                                                              • Opcode ID: a153a5231d8958bcb407c2be7e69e9783e7e2a8ad6de468e04a48fcf54d4b859
                                                                                              • Instruction ID: 5d88b746d0bd14fc2645860686b33a7b84bf27392af78185956116cda2a76873
                                                                                              • Opcode Fuzzy Hash: a153a5231d8958bcb407c2be7e69e9783e7e2a8ad6de468e04a48fcf54d4b859
                                                                                              • Instruction Fuzzy Hash: 8E81E13152434A9BDB37BF20D856ABFFB94AF91790F01443CFA85521B1DB309929CA92
                                                                                              Function 002F6509 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 167comCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 410 2f6509-2f6584 call 304585 VariantInit 416 2f667e-2f6687 410->416 417 2f658a-2f659c 410->417 420 2f6699-2f66b6 VariantClear * 2 416->420 421 2f6689-2f6697 416->421 418 2f659e-2f65be IUnknown_QueryInterface_Proxy 417->418 419 2f65c1-2f65ed 417->419 418->419 431 2f65ff-2f6601 419->431 432 2f65ef-2f65fd 419->432 422 2f66c8-2f66cf call 30452f 420->422 423 2f66b8-2f66c6 420->423 421->420 423->422 433 2f6663-2f666c 431->433 434 2f6603-2f6620 431->434 432->431 433->416 436 2f666e-2f667c 433->436 439 2f6622-2f6626 434->439 436->416 440 2f6648-2f6651 439->440 441 2f6628-2f6644 439->441 440->433 442 2f6653-2f6661 440->442 441->440 446 2f6646 441->446 442->433 446->440
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002F6510
                                                                                              • CoCreateInstance.OLE32(003269B0,00000000,00000017,003365B0,?,00000044,002F66EE,0000000C,002F679C,0000009C,002FEA96,?,00000000, --rerunningWithoutUAC), ref: 002F6530
                                                                                              • VariantInit.OLEAUT32(?), ref: 002F654D
                                                                                              • IUnknown_QueryInterface_Proxy.RPCRT4 ref: 002F65B2
                                                                                              • VariantClear.OLEAUT32(?), ref: 002F669D
                                                                                              • VariantClear.OLEAUT32(?), ref: 002F66A7
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: Variant$Clear$CreateH_prolog3_InitInstanceInterface_ProxyQueryUnknown_
                                                                                              • String ID: Pou
                                                                                              • API String ID: 897443949-1565865998
                                                                                              • Opcode ID: efd319c046c249152a4708798578c83270e0937642396f301313fddb9733331d
                                                                                              • Instruction ID: 8a384f5fbc596d86ab8066effc343d48002f9695f0d32fda7750293571d0f77f
                                                                                              • Opcode Fuzzy Hash: efd319c046c249152a4708798578c83270e0937642396f301313fddb9733331d
                                                                                              • Instruction Fuzzy Hash: 1851B171A00219EFDB15DFA4DC59BAEBBB9EF48300F14406CE505E72A0CB75AE02CB60
                                                                                              Function 00310CC3 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 469 310cc3-310ccf call 3158b6 472 310cf1-310cfd call 310d48 ExitProcess 469->472 473 310cd1-310cdf GetPEB 469->473 473->472 474 310ce1-310ceb GetCurrentProcess TerminateProcess 473->474 474->472
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32(0030EC55,?,00310C99,0030EC55,0033A6B0,0000000C,00310DF0,0030EC55,00000002,00000000,?,0030EC55), ref: 00310CE4
                                                                                              • TerminateProcess.KERNEL32(00000000,?,00310C99,0030EC55,0033A6B0,0000000C,00310DF0,0030EC55,00000002,00000000,?,0030EC55), ref: 00310CEB
                                                                                              • ExitProcess.KERNEL32 ref: 00310CFD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: Process$CurrentExitTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 1703294689-0
                                                                                              • Opcode ID: de06c5010ecce181373471d43bd596b244690fdc7a54467914ba1ceffcb5ad38
                                                                                              • Instruction ID: 1f595430487adbb71a4541fa3314e437c75a4060bce0b722f4fd6561cd9e6c21
                                                                                              • Opcode Fuzzy Hash: de06c5010ecce181373471d43bd596b244690fdc7a54467914ba1ceffcb5ad38
                                                                                              • Instruction Fuzzy Hash: 03E0B631040648ABCF2B6F54DD4AA883B6DEF99395F014018FD058E122CBB5EDD2DA81
                                                                                              Function 002F6777 Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 359memoryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 119 2f6777-2f67a0 call 304585 call 2f66d0 124 2f67a6-2f67c9 119->124 125 2f6942-2f694b 119->125 133 2f67cf-2f6850 call 2f9372 * 3 124->133 134 2f6927-2f6930 124->134 126 2f695d-2f6964 call 30452f 125->126 127 2f694d-2f695b 125->127 127->126 143 2f6878-2f6881 133->143 144 2f6852-2f6875 IUnknown_QueryInterface_Proxy 133->144 134->125 135 2f6932-2f6940 134->135 135->125 145 2f6887 143->145 146 2f6965-2f6971 SysAllocString 143->146 144->143 147 2f688a-2f68e4 SysFreeString 145->147 146->147 148 2f6977-2f6a6b call 2f1ebd call 304cb0 call 306120 146->148 157 2f68f6-2f6921 VariantClear * 4 147->157 158 2f68e6-2f68f4 147->158 162 2f6b2f-2f6b98 SHGetFolderPathW GetUserNameW GetLastError call 2f9321 CreateDirectoryW 148->162 163 2f6a71-2f6a7d SHGetFolderPathW 148->163 157->134 158->157 165 2f6a83-2f6aa8 call 308d79 CreateDirectoryW 162->165 168 2f6b9e-2f6ba6 GetLastError 162->168 163->165 171 2f6aae-2f6ab6 GetLastError 165->171 172 2f6cf6-2f6d31 call 2f7c9c FindResourceW 165->172 168->165 170 2f6bac-2f6bbb call 30be0a 168->170 181 2f6bbd-2f6bdb call 2f9321 170->181 182 2f6c18-2f6c36 call 2f9913 * 2 170->182 171->172 175 2f6abc-2f6acb call 30be0a 171->175 179 2f6c87 172->179 180 2f6d37-2f6d4e LoadResource 172->180 175->179 185 2f6ad1-2f6af2 call 2f9321 175->185 189 2f6c89 179->189 186 2f6d5b-2f6d70 SizeofResource 180->186 187 2f6d50-2f6d56 180->187 195 2f6bdd-2f6c01 call 2f25fe call 2f63d0 call 2f215d 181->195 196 2f6c03-2f6c10 call 2f7a90 call 2f7c6a 181->196 214 2f6c6a-2f6c6d 182->214 215 2f6c38-2f6c40 182->215 205 2f6af8-2f6afc 185->205 206 2f6c80-2f6c86 call 30be05 185->206 186->189 193 2f6d76-2f6d8e LockResource call 2f60b0 186->193 187->189 190 2f6c8f-2f6c96 189->190 197 2f6c9c-2f6ccd call 2f6982 call 2f9913 * 2 190->197 198 2f7365-2f7369 190->198 219 2f6d9c-2f6d9f 193->219 220 2f6d90-2f6d9a 193->220 259 2f6c11-2f6c17 call 30be05 195->259 196->259 275 2f7413-2f7415 197->275 276 2f6cd3-2f6cdb 197->276 209 2f736b-2f7393 call 2f25fe call 2f63d0 call 2f215d 198->209 210 2f7395-2f739a call 2f9d9d 198->210 216 2f6c72-2f6c7f call 2f7a90 call 2f7c6a 205->216 217 2f6b02-2f6b2a call 2f25fe call 2f63d0 call 2f215d 205->217 206->179 223 2f739f-2f73c9 call 2f9913 * 2 209->223 210->223 234 2f7424-2f743d call 303a95 214->234 226 2f6c56-2f6c69 call 2f9a1b 215->226 227 2f6c42-2f6c4e call 2f215d 215->227 216->206 217->206 231 2f6dad-2f6dbc call 2f569c 219->231 232 2f6da1-2f6dab 219->232 230 2f6dc1-2f6dc3 220->230 223->275 282 2f73cb-2f73d3 223->282 226->214 269 2f6c50 227->269 237 2f6dc9-2f6de7 230->237 231->230 232->230 250 2f6ded-2f6df0 237->250 251 2f6ef2 237->251 263 2f6ee6-2f6ef0 250->263 264 2f6df6-2f6e13 call 2f56fa 250->264 271 2f6efc-2f6f51 call 2f61ac FreeResource call 2f7c9c GetFileAttributesW 251->271 259->182 263->271 290 2f6e15-2f6e1a 264->290 291 2f6e20-2f6e6a call 2f7c9c DeleteFileW call 2f617b 264->291 269->226 271->189 303 2f6f57-2f6fbb GetModuleHandleW GetModuleFileNameW call 2f77b8 call 2f7a22 call 2f61fe call 2f9913 271->303 285 2f741e 275->285 286 2f7417-2f7418 FreeResource 275->286 283 2f73ed-2f740d call 2f9a1b 276->283 284 2f6ce1 276->284 282->283 292 2f73d5 282->292 283->275 293 2f6ce3-2f6cef call 2f215d 284->293 285->234 286->285 290->271 290->291 291->271 312 2f6e70-2f6e93 call 2f25fe 291->312 296 2f73d7-2f73e3 call 2f215d 292->296 307 2f6cf1 293->307 310 2f73e5-2f73eb 296->310 326 2f6fbd-2f6feb call 2f7895 call 2f61fe 303->326 327 2f701b-2f70d9 call 2f9913 call 2f7e25 call 2f75a7 call 2f75f9 call 2f9913 call 2f7c9c * 2 PathFileExistsW 303->327 307->310 310->283 318 2f6e95-2f6ea1 call 2f9035 312->318 319 2f6ea3-2f6eaa call 2f7cd0 312->319 324 2f6eaf-2f6ed6 call 2f215d 318->324 319->324 324->237 334 2f6edc-2f6ede 324->334 341 2f6fef-2f6ff1 326->341 342 2f6fed 326->342 357 2f713e-2f717c call 2f7c9c FindFirstFileW 327->357 358 2f70db-2f7113 CopyFileW call 2f25fe 327->358 334->237 336 2f6ee4 334->336 336->271 343 2f6ff4-2f6ffd 341->343 342->341 343->343 345 2f6fff-2f7016 call 2f7895 call 2f9913 343->345 345->327 365 2f717e-2f7187 GetLastError 357->365 366 2f719d-2f719e FindClose 357->366 363 2f7115-2f7121 call 2f9035 358->363 364 2f7123-2f712a call 2f7cd0 358->364 372 2f712f-2f7139 call 2f215d 363->372 364->372 365->366 367 2f7189-2f719b call 2f7895 365->367 368 2f71a4-2f71ca 366->368 367->368 374 2f71de 368->374 375 2f71cc-2f71dc call 30c0aa 368->375 372->357 378 2f71e3-2f723e call 2f7c9c CreateProcessW 374->378 375->374 375->378 378->190 383 2f7244-2f727a WaitForSingleObject GetExitCodeProcess 378->383 384 2f727c-2f7280 383->384 385 2f72ba-2f72cd 383->385 388 2f7282-2f72ae call 2f25fe call 2f63d0 call 2f215d 384->388 389 2f72b0-2f72b5 call 2f9d9d 384->389 386 2f72cf-2f72ec DeleteFileW 385->386 387 2f72ee-2f732a CloseHandle * 2 call 2f9913 * 2 385->387 386->386 386->387 400 2f735e-2f7360 387->400 401 2f732c-2f7334 387->401 388->385 389->385 400->234 403 2f734a-2f735d call 2f9a1b 401->403 404 2f7336-2f7342 call 2f215d 401->404 403->400 409 2f7344 404->409 409->403
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002F6781
                                                                                                • Part of subcall function 002F66D0: __EH_prolog3_GS.LIBCMT ref: 002F66D7
                                                                                                • Part of subcall function 002F66D0: IUnknown_QueryInterface_Proxy.RPCRT4 ref: 002F6735
                                                                                              • IUnknown_QueryInterface_Proxy.RPCRT4 ref: 002F6866
                                                                                              • SysFreeString.OLEAUT32(?), ref: 002F68D5
                                                                                              • VariantClear.OLEAUT32(?), ref: 002F68FD
                                                                                              • VariantClear.OLEAUT32(?), ref: 002F690A
                                                                                              • VariantClear.OLEAUT32(?), ref: 002F6917
                                                                                              • VariantClear.OLEAUT32(?), ref: 002F6921
                                                                                              • SysAllocString.OLEAUT32(?), ref: 002F6966
                                                                                              • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 002F6A7D
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 002F6AA0
                                                                                                • Part of subcall function 002F9372: VariantClear.OLEAUT32 ref: 002F937E
                                                                                                • Part of subcall function 002F9372: SysAllocString.OLEAUT32(?), ref: 002F9391
                                                                                                • Part of subcall function 002F9372: VariantClear.OLEAUT32 ref: 002F93C2
                                                                                              • GetLastError.KERNEL32 ref: 002F6AAE
                                                                                              Strings
                                                                                              • \SquirrelTemp, xrefs: 002F6A83
                                                                                              • Unable to write to %s - IT policies may be restricting access to this folder, xrefs: 002F6AD8
                                                                                              • PF3, xrefs: 002F67E7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ClearVariant$String$AllocH_prolog3_Interface_ProxyQueryUnknown_$CreateDirectoryErrorFolderFreeLastPath
                                                                                              • String ID: PF3$Unable to write to %s - IT policies may be restricting access to this folder$\SquirrelTemp
                                                                                              • API String ID: 180059506-207337224
                                                                                              • Opcode ID: b2482de0b40ce9b19d50194b1f9edc695638b348b5a204ebc673fc6fa14e5041
                                                                                              • Instruction ID: d8e1c5c7f39bea1446966e803f9b06ed6d4f60a77d32c5cf53bb18389e5fb3b4
                                                                                              • Opcode Fuzzy Hash: b2482de0b40ce9b19d50194b1f9edc695638b348b5a204ebc673fc6fa14e5041
                                                                                              • Instruction Fuzzy Hash: 26D19D71D00619DBDB22DFA4CC45AEEBBB9EF09340F1441A9E909BB280DB715E85CF90
                                                                                              Function 002F6487 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 447 2f6487-2f64b1 GetCurrentProcess OpenProcessToken 448 2f64c9-2f64e0 GetTokenInformation 447->448 449 2f64b3-2f64c7 GetLastError 447->449 448->449 450 2f64e2-2f64e8 448->450 451 2f64eb-2f64ef 449->451 450->451 452 2f64fa-2f6508 call 303a95 451->452 453 2f64f1-2f64f4 CloseHandle 451->453 453->452
                                                                                              APIs
                                                                                              • GetCurrentProcess.KERNEL32 ref: 002F6498
                                                                                              • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 002F64A9
                                                                                              • GetLastError.KERNEL32 ref: 002F64B3
                                                                                              • GetTokenInformation.KERNELBASE(00000000,00000012(TokenIntegrityLevel),?,00000004,?), ref: 002F64D8
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 002F64F4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProcessToken$CloseCurrentErrorHandleInformationLastOpen
                                                                                              • String ID:
                                                                                              • API String ID: 2078281146-0
                                                                                              • Opcode ID: 66110142e14af2a3f4aaea31a1a7854b2ca54c98fd46bfad8e398dab9b1a6a2d
                                                                                              • Instruction ID: 37ee6aa0a3a20eaed9278ad002bcce32abaee40b99ee98d3bba7866c2049be5e
                                                                                              • Opcode Fuzzy Hash: 66110142e14af2a3f4aaea31a1a7854b2ca54c98fd46bfad8e398dab9b1a6a2d
                                                                                              • Instruction Fuzzy Hash: 06015234A1020AEFDB21EFA0CD4ABBEB7BCFF04741F408428E602D2191DB749914DA60
                                                                                              Function 002F1220 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 456 2f1220-2f1255 call 2f2320 459 2f1297-2f12ad call 2f2397 call 303a95 456->459 460 2f1257-2f127e RegQueryValueExW 456->460 460->459 462 2f1280-2f1284 460->462 462->459 463 2f1286-2f128a 462->463 463->459 465 2f128c-2f1293 463->465 465->459 467 2f1295 465->467 467->459
                                                                                              APIs
                                                                                              • RegQueryValueExW.KERNELBASE(?,Release,00000000,?,?,?,80000002,SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full,00020019), ref: 002F1276
                                                                                              Strings
                                                                                              • SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full, xrefs: 002F123B
                                                                                              • Release, xrefs: 002F126E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: QueryValue
                                                                                              • String ID: Release$SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full
                                                                                              • API String ID: 3660427363-1765340461
                                                                                              • Opcode ID: 6f338c1175f297bfe5770cd3e330b018b9d22e8c4429c6e2d9b497366da98f98
                                                                                              • Instruction ID: ec8fb851f075a225402f7568da0ac016622632d911d64abda6e2761039b34b42
                                                                                              • Opcode Fuzzy Hash: 6f338c1175f297bfe5770cd3e330b018b9d22e8c4429c6e2d9b497366da98f98
                                                                                              • Instruction Fuzzy Hash: 1A011B70E1020EEEDB01DFD4C8919FEFBB8AB11389F90407ADA11E2180E7749A28DF50
                                                                                              Function 002F66D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 477 2f66d0-2f66f2 call 304585 call 2f6509 482 2f6754-2f675d 477->482 483 2f66f4-2f671d 477->483 484 2f676f-2f6776 call 30452f 482->484 485 2f675f-2f676d 482->485 491 2f671f-2f6737 IUnknown_QueryInterface_Proxy 483->491 492 2f6739-2f6742 483->492 485->484 491->492 492->482 493 2f6744-2f6752 492->493 493->482
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002F66D7
                                                                                                • Part of subcall function 002F6509: __EH_prolog3_GS.LIBCMT ref: 002F6510
                                                                                                • Part of subcall function 002F6509: CoCreateInstance.OLE32(003269B0,00000000,00000017,003365B0,?,00000044,002F66EE,0000000C,002F679C,0000009C,002FEA96,?,00000000, --rerunningWithoutUAC), ref: 002F6530
                                                                                                • Part of subcall function 002F6509: VariantInit.OLEAUT32(?), ref: 002F654D
                                                                                                • Part of subcall function 002F6509: IUnknown_QueryInterface_Proxy.RPCRT4 ref: 002F65B2
                                                                                              • IUnknown_QueryInterface_Proxy.RPCRT4 ref: 002F6735
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_Interface_ProxyQueryUnknown_$CreateInitInstanceVariant
                                                                                              • String ID:
                                                                                              • API String ID: 3581078782-0
                                                                                              • Opcode ID: ee5fc979f171bc42a731aab108912f2d9df2d2200f2e3b003c8a6005b4d950b3
                                                                                              • Instruction ID: 80ebb362a0f6d8a70c042f1215af1bbecbb0e9c3cfdc0f265b1fcaeccd0fb209
                                                                                              • Opcode Fuzzy Hash: ee5fc979f171bc42a731aab108912f2d9df2d2200f2e3b003c8a6005b4d950b3
                                                                                              • Instruction Fuzzy Hash: 36119335A00219DFDB05EB64DC5AB6EB7B5EF85715F24416CE201EB3A0DB74AE02CB90
                                                                                              Function 002F2320 Relevance: 1.6, APIs: 1, Instructions: 51registryCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 496 2f2320-2f2342 497 2f2356-2f2362 RegOpenKeyExW 496->497 498 2f2344-2f2354 call 2f22b1 496->498 500 2f2368-2f236c 497->500 498->500 501 2f236e-2f2382 call 2f2397 500->501 502 2f2385-2f2394 call 303a95 500->502 501->502
                                                                                              APIs
                                                                                              • RegOpenKeyExW.KERNELBASE(00000000,?,00000000,80000002,00000000,?,?,?,?,?,002F1253,80000002,SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full), ref: 002F2362
                                                                                                • Part of subcall function 002F22B1: GetModuleHandleW.KERNEL32(Advapi32.dll,?,80000002,00000000,?,002F2354,00000000,?,?,80000002,00000000,?,?,?,?), ref: 002F22C4
                                                                                                • Part of subcall function 002F22B1: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 002F22D4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleOpenProc
                                                                                              • String ID:
                                                                                              • API String ID: 1337834000-0
                                                                                              • Opcode ID: 76037dde36086e9c48d8ec9e537c3a987e43453b871230eb5a35359441f52446
                                                                                              • Instruction ID: 658adb6ab8d1d68d6f3d336190e1d990ba152b6508e7cf211921a62413cf4e62
                                                                                              • Opcode Fuzzy Hash: 76037dde36086e9c48d8ec9e537c3a987e43453b871230eb5a35359441f52446
                                                                                              • Instruction Fuzzy Hash: 5F0140B161121AEBDB08CF55C855EBFBBADEF49754F00806DB905A7240DB74ED148B90

                                                                                              Non-executed Functions

                                                                                              Function 002F6982 Relevance: 81.2, APIs: 29, Strings: 17, Instructions: 721fileprocesssynchronizationCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 622 2f6982-2f6a6b call 304cb0 call 306120 627 2f6b2f-2f6b98 SHGetFolderPathW GetUserNameW GetLastError call 2f9321 CreateDirectoryW 622->627 628 2f6a71-2f6a7d SHGetFolderPathW 622->628 630 2f6a83-2f6aa8 call 308d79 CreateDirectoryW 627->630 633 2f6b9e-2f6ba6 GetLastError 627->633 628->630 636 2f6aae-2f6ab6 GetLastError 630->636 637 2f6cf6-2f6d31 call 2f7c9c FindResourceW 630->637 633->630 635 2f6bac-2f6bbb call 30be0a 633->635 646 2f6bbd-2f6bdb call 2f9321 635->646 647 2f6c18-2f6c36 call 2f9913 * 2 635->647 636->637 640 2f6abc-2f6acb call 30be0a 636->640 644 2f6c87 637->644 645 2f6d37-2f6d4e LoadResource 637->645 640->644 650 2f6ad1-2f6af2 call 2f9321 640->650 654 2f6c89 644->654 651 2f6d5b-2f6d70 SizeofResource 645->651 652 2f6d50-2f6d56 645->652 660 2f6bdd-2f6c01 call 2f25fe call 2f63d0 call 2f215d 646->660 661 2f6c03-2f6c10 call 2f7a90 call 2f7c6a 646->661 679 2f6c6a-2f6c6d 647->679 680 2f6c38-2f6c40 647->680 670 2f6af8-2f6afc 650->670 671 2f6c80-2f6c86 call 30be05 650->671 651->654 658 2f6d76-2f6d8e LockResource call 2f60b0 651->658 652->654 655 2f6c8f-2f6c96 654->655 662 2f6c9c-2f6ccd call 2f6982 call 2f9913 * 2 655->662 663 2f7365-2f7369 655->663 684 2f6d9c-2f6d9f 658->684 685 2f6d90-2f6d9a 658->685 724 2f6c11-2f6c17 call 30be05 660->724 661->724 740 2f7413-2f7415 662->740 741 2f6cd3-2f6cdb 662->741 674 2f736b-2f7393 call 2f25fe call 2f63d0 call 2f215d 663->674 675 2f7395-2f739a call 2f9d9d 663->675 681 2f6c72-2f6c7f call 2f7a90 call 2f7c6a 670->681 682 2f6b02-2f6b2a call 2f25fe call 2f63d0 call 2f215d 670->682 671->644 688 2f739f-2f73c9 call 2f9913 * 2 674->688 675->688 699 2f7424-2f743d call 303a95 679->699 691 2f6c56-2f6c69 call 2f9a1b 680->691 692 2f6c42-2f6c4e call 2f215d 680->692 681->671 682->671 696 2f6dad-2f6dbc call 2f569c 684->696 697 2f6da1-2f6dab 684->697 695 2f6dc1-2f6dc3 685->695 688->740 747 2f73cb-2f73d3 688->747 691->679 734 2f6c50 692->734 702 2f6dc9-2f6de7 695->702 696->695 697->695 715 2f6ded-2f6df0 702->715 716 2f6ef2 702->716 728 2f6ee6-2f6ef0 715->728 729 2f6df6-2f6e13 call 2f56fa 715->729 736 2f6efc-2f6f51 call 2f61ac FreeResource call 2f7c9c GetFileAttributesW 716->736 724->647 728->736 755 2f6e15-2f6e1a 729->755 756 2f6e20-2f6e6a call 2f7c9c DeleteFileW call 2f617b 729->756 734->691 736->654 768 2f6f57-2f6fbb GetModuleHandleW GetModuleFileNameW call 2f77b8 call 2f7a22 call 2f61fe call 2f9913 736->768 750 2f741e 740->750 751 2f7417-2f7418 FreeResource 740->751 748 2f73ed-2f740d call 2f9a1b 741->748 749 2f6ce1 741->749 747->748 757 2f73d5 747->757 748->740 758 2f6ce3-2f6cef call 2f215d 749->758 750->699 751->750 755->736 755->756 756->736 777 2f6e70-2f6e93 call 2f25fe 756->777 761 2f73d7-2f73e3 call 2f215d 757->761 772 2f6cf1 758->772 775 2f73e5-2f73eb 761->775 791 2f6fbd-2f6feb call 2f7895 call 2f61fe 768->791 792 2f701b-2f70d9 call 2f9913 call 2f7e25 call 2f75a7 call 2f75f9 call 2f9913 call 2f7c9c * 2 PathFileExistsW 768->792 772->775 775->748 783 2f6e95-2f6ea1 call 2f9035 777->783 784 2f6ea3-2f6eaa call 2f7cd0 777->784 789 2f6eaf-2f6ed6 call 2f215d 783->789 784->789 789->702 799 2f6edc-2f6ede 789->799 806 2f6fef-2f6ff1 791->806 807 2f6fed 791->807 822 2f713e-2f717c call 2f7c9c FindFirstFileW 792->822 823 2f70db-2f7113 CopyFileW call 2f25fe 792->823 799->702 801 2f6ee4 799->801 801->736 808 2f6ff4-2f6ffd 806->808 807->806 808->808 810 2f6fff-2f7016 call 2f7895 call 2f9913 808->810 810->792 830 2f717e-2f7187 GetLastError 822->830 831 2f719d-2f719e FindClose 822->831 828 2f7115-2f7121 call 2f9035 823->828 829 2f7123-2f712a call 2f7cd0 823->829 837 2f712f-2f7139 call 2f215d 828->837 829->837 830->831 832 2f7189-2f719b call 2f7895 830->832 833 2f71a4-2f71ca 831->833 832->833 839 2f71de 833->839 840 2f71cc-2f71dc call 30c0aa 833->840 837->822 843 2f71e3-2f723e call 2f7c9c CreateProcessW 839->843 840->839 840->843 843->655 848 2f7244-2f727a WaitForSingleObject GetExitCodeProcess 843->848 849 2f727c-2f7280 848->849 850 2f72ba-2f72cd 848->850 853 2f7282-2f72ae call 2f25fe call 2f63d0 call 2f215d 849->853 854 2f72b0-2f72b5 call 2f9d9d 849->854 851 2f72cf-2f72ec DeleteFileW 850->851 852 2f72ee-2f732a CloseHandle * 2 call 2f9913 * 2 850->852 851->851 851->852 865 2f735e-2f7360 852->865 866 2f732c-2f7334 852->866 853->850 854->850 865->699 868 2f734a-2f735d call 2f9a1b 866->868 869 2f7336-2f7342 call 2f215d 866->869 868->865 874 2f7344 869->874 874->868
                                                                                              APIs
                                                                                              • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 002F6A7D
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 002F6AA0
                                                                                              • GetLastError.KERNEL32 ref: 002F6AAE
                                                                                              • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 002F6B45
                                                                                              • GetUserNameW.ADVAPI32(?,00000200), ref: 002F6B59
                                                                                              • GetLastError.KERNEL32 ref: 002F6B5F
                                                                                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 002F6B90
                                                                                              • GetLastError.KERNEL32 ref: 002F6B9E
                                                                                              • FindResourceW.KERNEL32(00000083,DATA), ref: 002F6D21
                                                                                              • LoadResource.KERNEL32(00000000), ref: 002F6D3E
                                                                                              • SizeofResource.KERNEL32(00000000), ref: 002F6D62
                                                                                              • LockResource.KERNEL32(00000000), ref: 002F6D77
                                                                                              • DeleteFileW.KERNEL32(?), ref: 002F6E49
                                                                                              • FreeResource.KERNEL32(00000000), ref: 002F6F04
                                                                                              • GetFileAttributesW.KERNEL32(?), ref: 002F6F48
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 002F6F58
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 002F6F6B
                                                                                              • PathFileExistsW.SHLWAPI(?,?,%s\%s,?,setup.json,00000000,?,00000000,00000000,?,?,?,?), ref: 002F70D1
                                                                                              • CopyFileW.KERNEL32(?,?,00000000), ref: 002F70EA
                                                                                              • FindFirstFileW.KERNEL32(?,?), ref: 002F7171
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 002F717E
                                                                                              • FindClose.KERNEL32(00000000), ref: 002F719E
                                                                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,?,?,?), ref: 002F7236
                                                                                              • WaitForSingleObject.KERNEL32(?,00334650), ref: 002F724E
                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 002F7261
                                                                                              • DeleteFileW.KERNEL32(?), ref: 002F72D2
                                                                                              • CloseHandle.KERNEL32(?), ref: 002F72F4
                                                                                              • CloseHandle.KERNEL32(?), ref: 002F7300
                                                                                                • Part of subcall function 002F63D0: GetActiveWindow.USER32 ref: 002F644E
                                                                                                • Part of subcall function 002F63D0: ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 002F6472
                                                                                                • Part of subcall function 002F9D9D: __EH_prolog3_GS.LIBCMT ref: 002F9DA7
                                                                                                • Part of subcall function 002F9D9D: _strftime.LIBCMT ref: 002F9DE2
                                                                                              • FreeResource.KERNEL32(00000000), ref: 002F7418
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$Resource$ErrorLast$CloseCreateFindHandlePath$DeleteDirectoryFolderFreeModuleNameProcess$ActiveAttributesCodeCopyExecuteExistsExitFirstH_prolog3_LoadLockObjectShellSingleSizeofUserWaitWindow_strftime
                                                                                              • String ID: --bootstrapperMode$"%s" --install . %s %s$%s\%s$%s\SquirrelSetup.log$--exeName=$D$DATA$ERROR: failed to extract installer$ERROR: there was an error while installing the application (see above)$Failed to extract installer$PF3$Teams-*.nupkg$There was an error while installing the application. Check the setup log for more information and contact the author.$Unable to write to %s - IT policies may be restricting access to this folder$Update.exe$\SquirrelTemp$setup.json
                                                                                              • API String ID: 1737328233-3080841054
                                                                                              • Opcode ID: 6111b5ae22b990e534c567e32e8f529599584743a636b9203babd0a923cc150b
                                                                                              • Instruction ID: 80b2d4804a4dcd3c80000ee661e5fa70e99a93c629479007cea6cf583d89000b
                                                                                              • Opcode Fuzzy Hash: 6111b5ae22b990e534c567e32e8f529599584743a636b9203babd0a923cc150b
                                                                                              • Instruction Fuzzy Hash: E1525B71D2522C9BDB21DF64CC99AEEB7B8EF14380F1441E9E609A3281EB315E95CF50
                                                                                              Function 002F136F Relevance: 49.3, APIs: 13, Strings: 15, Instructions: 316filecomsynchronizationCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 875 2f136f-2f138b call 304585 878 2f1391-2f142f call 306120 call 2f2185 GetActiveWindow call 2f1b05 875->878 879 2f1440-2f14b3 call 306120 * 2 call 2f1fe8 GetTempPathW 875->879 894 2f1439-2f143b 878->894 895 2f1431-2f1437 878->895 892 2f14b5 call 2f1d87 879->892 893 2f14c1-2f14c3 879->893 901 2f14ba-2f14bc 892->901 897 2f14cf-2f14ec GetTempFileNameW 893->897 898 2f14c5-2f14ca 893->898 899 2f17ea-2f17ef call 30452f 894->899 895->879 895->894 897->892 903 2f14ee-2f1510 call 308d15 897->903 902 2f177a-2f1782 898->902 901->902 904 2f1784-2f1787 902->904 905 2f1790-2f1798 902->905 913 2f151c-2f1535 call 3051d5 903->913 914 2f1512-2f1517 903->914 904->905 908 2f1789-2f178a CloseHandle 904->908 909 2f179a-2f17a1 DeleteFileW 905->909 910 2f17a7-2f17be call 2f215d 905->910 908->905 909->910 917 2f17d0-2f17d6 910->917 918 2f17c0-2f17ce 910->918 920 2f153b-2f154d call 308d79 913->920 921 2f1756-2f176b call 308d15 913->921 914->902 922 2f17e8 917->922 923 2f17d8-2f17e6 917->923 918->917 920->914 930 2f154f-2f1565 MoveFileW 920->930 932 2f1770-2f1774 921->932 922->899 923->922 930->892 931 2f156b-2f156d 930->931 933 2f1573-2f1597 931->933 934 2f1661 931->934 932->902 935 2f1663-2f1683 URLDownloadToFileW 933->935 940 2f159d-2f15fc call 2f1c00 933->940 934->935 937 2f1695-2f1697 935->937 938 2f1685-2f1693 935->938 937->902 939 2f169d-2f16ef ShellExecuteExW 937->939 938->937 939->892 941 2f16f5-2f16fd 939->941 940->935 959 2f15fe-2f160f 940->959 943 2f16ff-2f1702 WaitForSingleObject 941->943 944 2f1708-2f1718 941->944 943->944 944->932 946 2f171a-2f172a GetExitCodeProcess 944->946 946->892 947 2f1730-2f173c 946->947 949 2f173e-2f1744 947->949 950 2f1746-2f1751 call 2f17f0 947->950 949->932 949->950 950->901 960 2f1645-2f1647 959->960 961 2f1611-2f1613 959->961 960->934 962 2f1649-2f165b 960->962 963 2f162e-2f1633 961->963 964 2f1615-2f162b 961->964 962->934 963->960 965 2f1635-2f1643 963->965 964->963 965->960
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002F1379
                                                                                              • GetActiveWindow.USER32 ref: 002F141B
                                                                                                • Part of subcall function 002F1B05: LoadLibraryW.KERNEL32(comctl32.dll,?,00000001,?,?,?,002F1893,00000000), ref: 002F1B24
                                                                                                • Part of subcall function 002F1B05: GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 002F1B36
                                                                                                • Part of subcall function 002F1B05: FreeLibrary.KERNEL32(00000000,?,00000001,?,?,?,002F1893,00000000), ref: 002F1B59
                                                                                              • GetTempPathW.KERNEL32(00000104,?,000006E4,002FE9CF,?,--allUsers,?,--rerunningWithoutUAC), ref: 002F14AB
                                                                                              • GetTempFileNameW.KERNEL32(?,NDP,00000000,?), ref: 002F14E4
                                                                                              • _wcsrchr.LIBVCRUNTIME ref: 002F1525
                                                                                              • MoveFileW.KERNEL32(?,?), ref: 002F155D
                                                                                              • CoCreateInstance.OLE32(00326990,00000000,00000017,00334640,?), ref: 002F1589
                                                                                              • URLDownloadToFileW.URLMON(00000000,?,?,00000000,00000000), ref: 002F1673
                                                                                              • ShellExecuteExW.SHELL32(?), ref: 002F16E7
                                                                                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 002F1702
                                                                                              • GetExitCodeProcess.KERNEL32(?,?), ref: 002F1722
                                                                                              • CloseHandle.KERNEL32(?), ref: 002F178A
                                                                                              • DeleteFileW.KERNEL32(00000000), ref: 002F17A1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$LibraryTemp$ActiveAddressCloseCodeCreateDeleteDownloadExecuteExitFreeH_prolog3_HandleInstanceLoadMoveNameObjectPathProcProcessShellSingleWaitWindow_wcsrchr
                                                                                              • String ID: .exe$/passive /norestart /showrmui$/q /norestart$<$@$Downloading$Downloading the .NET Framework installer$H?3$H@3$LB3$NDP$Pou$This application requires the .NET Framework 4.5. Click the Install button to get started.$X?3$h?3
                                                                                              • API String ID: 141064516-1602067357
                                                                                              • Opcode ID: bf8c6f559a9d7000c62cd3ee67e227ec18bd43d560b13d72dbed1d3eb18bcce5
                                                                                              • Instruction ID: 9835ea17a1637885e457704db9eb9d84bdcb1b09e9213d880a1b866e8bd94f25
                                                                                              • Opcode Fuzzy Hash: bf8c6f559a9d7000c62cd3ee67e227ec18bd43d560b13d72dbed1d3eb18bcce5
                                                                                              • Instruction Fuzzy Hash: 75C17170A1021DDFDB21DF64DC85BA9B7BEAF84340F4402A9E609E7291DB719EA1CF50
                                                                                              Function 002F56FA Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 402timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 002F4975: SetFilePointer.KERNEL32(?,?,00000000,?), ref: 002F49A8
                                                                                              • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000104), ref: 002F588D
                                                                                              • _wcsstr.LIBVCRUNTIME ref: 002F58C2
                                                                                              • _wcsstr.LIBVCRUNTIME ref: 002F58D8
                                                                                              • _wcsstr.LIBVCRUNTIME ref: 002F58E9
                                                                                              • _wcsstr.LIBVCRUNTIME ref: 002F58FA
                                                                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 002F5A94
                                                                                              • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 002F5AC0
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileTime_wcsstr$ByteCharLocalMultiPointerSystemWide
                                                                                              • String ID: $a3$/../$/..\$\../$\..\
                                                                                              • API String ID: 2500941349-3948120988
                                                                                              • Opcode ID: 9844a816d7facec3d86aa27b6d227f281ef754566a8d0380ffa575f9d8d8bd42
                                                                                              • Instruction ID: d38e0d09c12d139a53f3f0f299ea1468c8fa2207bef0676e9da78eab221421bc
                                                                                              • Opcode Fuzzy Hash: 9844a816d7facec3d86aa27b6d227f281ef754566a8d0380ffa575f9d8d8bd42
                                                                                              • Instruction Fuzzy Hash: 45F1F471910A698BCB2ACF2488817A5FBF4AF45350F1842BAEA5DDB281D7749B81CF50
                                                                                              Function 0031F50D Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00313D25: GetLastError.KERNEL32(?,0030BBE0,00309863,0030BBE0,?,?,00309920,FF8BC35D), ref: 00313D29
                                                                                                • Part of subcall function 00313D25: _free.LIBCMT ref: 00313D5C
                                                                                                • Part of subcall function 00313D25: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D9D
                                                                                                • Part of subcall function 00313D25: _free.LIBCMT ref: 00313D84
                                                                                                • Part of subcall function 00313D25: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D91
                                                                                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 0031F619
                                                                                              • IsValidCodePage.KERNEL32(00000000), ref: 0031F674
                                                                                              • IsValidLocale.KERNEL32(?,00000001), ref: 0031F683
                                                                                              • GetLocaleInfoW.KERNEL32(?,00001001,#1,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0031F6CB
                                                                                              • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 0031F6EA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser
                                                                                              • String ID: #1$#1$#1
                                                                                              • API String ID: 2287132625-2975269725
                                                                                              • Opcode ID: 6e1d5c8659e157b12676ffc004328941094c97d421de7f8fc3f2953f1fc973a8
                                                                                              • Instruction ID: 93ab54d91d0b4bceb14e2d7562739b56087e82d431c51f10f6fb153a7a61da82
                                                                                              • Opcode Fuzzy Hash: 6e1d5c8659e157b12676ffc004328941094c97d421de7f8fc3f2953f1fc973a8
                                                                                              • Instruction Fuzzy Hash: 7E519272900206AFDB2AEFA5DC41AFAB7B9EF0C700F150439E904EB151DB70DD818B61
                                                                                              Function 002F248F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 113COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(00000000,389D5262,?,?,?,?,0032452B,000000FF), ref: 002F24C8
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000400,?,?,?,?,0032452B,000000FF), ref: 002F24DC
                                                                                              • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?,?,?,?,?,?,0032452B,000000FF), ref: 002F2509
                                                                                                • Part of subcall function 002F246D: GetFileAttributesW.KERNEL32(?,002F252F), ref: 002F246E
                                                                                                • Part of subcall function 002F246D: GetLastError.KERNEL32 ref: 002F2479
                                                                                              • SHGetFolderPathW.SHELL32(00000000,00000023,00000000,00000000,?), ref: 002F2545
                                                                                              • GetUserNameW.ADVAPI32(?,?), ref: 002F2559
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileFolderModuleNamePath$AttributesErrorHandleLastUser
                                                                                              • String ID: \Microsoft\Teams\current$\teams.exe
                                                                                              • API String ID: 4174789944-1447158751
                                                                                              • Opcode ID: a78a6fc2e587a9201290d8a6feb4fc543fce451d4ef79e4371a29a9b42d907e0
                                                                                              • Instruction ID: f99e649f34e57cf8c3eef0d652ec465ec837c6fd6b77775e2b2bab99b118b519
                                                                                              • Opcode Fuzzy Hash: a78a6fc2e587a9201290d8a6feb4fc543fce451d4ef79e4371a29a9b42d907e0
                                                                                              • Instruction Fuzzy Hash: B64150B290011CBACB21EB50DC96EEBB7BCFF45740F4484B9F55592181EE745B898FA0
                                                                                              Function 002F1955 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 55shutdownCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LookupPrivilegeValueW.ADVAPI32(00334650,SeShutdownPrivilege,002F18AA), ref: 002F1974
                                                                                              • GetCurrentProcess.KERNEL32(00000020,?,?,?,?,?,?,002F18AA,00000000), ref: 002F1989
                                                                                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,002F18AA,00000000), ref: 002F1990
                                                                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000010,00000000,00000000), ref: 002F19C0
                                                                                              • CloseHandle.KERNEL32(?), ref: 002F19CD
                                                                                              • ExitWindowsEx.USER32(00000002,00000000), ref: 002F19E5
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ProcessToken$AdjustCloseCurrentExitHandleLookupOpenPrivilegePrivilegesValueWindows
                                                                                              • String ID: SeShutdownPrivilege
                                                                                              • API String ID: 2829607268-3733053543
                                                                                              • Opcode ID: 792b52ac57aaa5a930a4c9acbb01d87f2fb701807b71cf2732ca213838920a63
                                                                                              • Instruction ID: 08283b0de79760a996d8b76f3093aecfd7d3232fa72ec0d72ecfe43f8b084570
                                                                                              • Opcode Fuzzy Hash: 792b52ac57aaa5a930a4c9acbb01d87f2fb701807b71cf2732ca213838920a63
                                                                                              • Instruction Fuzzy Hash: 7C112A71E01219EBDB119FA1DC4AEEFBBBCFF09741F408029E502E6190D7B49A15DBA0
                                                                                              Function 0031F339 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,0031F658,?,00000000), ref: 0031F3D2
                                                                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,0031F658,?,00000000), ref: 0031F3FB
                                                                                              • GetACP.KERNEL32(?,?,0031F658,?,00000000), ref: 0031F410
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoLocale
                                                                                              • String ID: ACP$OCP
                                                                                              • API String ID: 2299586839-711371036
                                                                                              • Opcode ID: 4576145fa8805807562c8df2c4d584f8b034ea2a3e85fc9b9691ce6bd2098c25
                                                                                              • Instruction ID: 8360074460711a6532e6e68bb6cfd3abbeba8b5cce11fb01887de6c532f1c11b
                                                                                              • Opcode Fuzzy Hash: 4576145fa8805807562c8df2c4d584f8b034ea2a3e85fc9b9691ce6bd2098c25
                                                                                              • Instruction Fuzzy Hash: 5F219576600100AEDB3B9F15D911AD773AAEF5CB54B578934E91AC7101E732ED81C350
                                                                                              Function 002FA1C0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002FA1CA
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\VMware, Inc.\VMware VDM,00000000,?,?,000000A4,002FA421), ref: 002FA1E6
                                                                                                • Part of subcall function 002F9BDF: __EH_prolog3.LIBCMT ref: 002F9BE6
                                                                                                • Part of subcall function 002FA168: __EH_prolog3.LIBCMT ref: 002FA16F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3$H_prolog3_Open
                                                                                              • String ID: AgentInstallPath$PF3$SOFTWARE\VMware, Inc.\VMware VDM
                                                                                              • API String ID: 1546091839-2643531384
                                                                                              • Opcode ID: 47bff4b08d7281c66be99cdca36dc8c3ea44ec1bb3271a573a20c0f9baf1f7f2
                                                                                              • Instruction ID: a92dc4a38ce1376ab8d7fb15204551399fc0e3aac87f5a44e1687ba1a69b802d
                                                                                              • Opcode Fuzzy Hash: 47bff4b08d7281c66be99cdca36dc8c3ea44ec1bb3271a573a20c0f9baf1f7f2
                                                                                              • Instruction Fuzzy Hash: 98214D74D1134CAADF15EFA0D882AEDF7B8AF15380F50806EE509AB241EB705A58CF10
                                                                                              Function 0031EBC2 Relevance: 6.3, APIs: 4, Instructions: 251COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00313D25: GetLastError.KERNEL32(?,0030BBE0,00309863,0030BBE0,?,?,00309920,FF8BC35D), ref: 00313D29
                                                                                                • Part of subcall function 00313D25: _free.LIBCMT ref: 00313D5C
                                                                                                • Part of subcall function 00313D25: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D9D
                                                                                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,003123F2,?,?,?,?,00311E49,?,00000004), ref: 0031ECA4
                                                                                              • _wcschr.LIBVCRUNTIME ref: 0031ED34
                                                                                              • _wcschr.LIBVCRUNTIME ref: 0031ED42
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,003123F2,00000000,00312512), ref: 0031EDF4
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_free
                                                                                              • String ID:
                                                                                              • API String ID: 2444527052-0
                                                                                              • Opcode ID: f436069d0c97a57d5762e8c9e961b0d94ee042b5311891dfbe8aed94c59f8aa4
                                                                                              • Instruction ID: 57c2d801f0cadd2540e0a5e4ecc0375ecba2d2dee49a4347e767546f8f5fc0d5
                                                                                              • Opcode Fuzzy Hash: f436069d0c97a57d5762e8c9e961b0d94ee042b5311891dfbe8aed94c59f8aa4
                                                                                              • Instruction Fuzzy Hash: 9061D871A00606AAD72EAF75DC86AE773ACEF0C710F154429FD06DB181EB75E9C087A0
                                                                                              Function 003162F9 Relevance: 6.1, APIs: 4, Instructions: 91timeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 0031630B
                                                                                                • Part of subcall function 00313E7A: HeapFree.KERNEL32(00000000,00000000,?,0031DC9A,?,00000000,?,00000000,?,0031DF3E,?,00000007,?,?,0031E339,?), ref: 00313E90
                                                                                                • Part of subcall function 00313E7A: GetLastError.KERNEL32(?,?,0031DC9A,?,00000000,?,00000000,?,0031DF3E,?,00000007,?,?,0031E339,?,?), ref: 00313EA2
                                                                                              • GetTimeZoneInformation.KERNEL32 ref: 0031631D
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,?,0033E4D4,000000FF,?,0000003F,?,?), ref: 00316395
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,?,0033E528,000000FF,?,0000003F,?,?,?,0033E4D4,000000FF,?,0000003F,?,?), ref: 003163C2
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                                                              • String ID:
                                                                                              • API String ID: 806657224-0
                                                                                              • Opcode ID: e90462e3cee3c0e1e854d14d9bc0ceb268369491fbe6b14c53d0ba4dd30e4576
                                                                                              • Instruction ID: 2bb42ded16025c25a25c57299151cc5bd6aec4710ba5161480b94623a3252658
                                                                                              • Opcode Fuzzy Hash: e90462e3cee3c0e1e854d14d9bc0ceb268369491fbe6b14c53d0ba4dd30e4576
                                                                                              • Instruction Fuzzy Hash: DE31A170904215DFDB17DFA9CC818A9BBB8FF4A314F154A6EE0209B2B1D3709D81DB50
                                                                                              Function 00303ADC Relevance: 6.0, APIs: 4, Instructions: 12COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00303BFB,00329DAC,00000017), ref: 00303AE1
                                                                                              • UnhandledExceptionFilter.KERNEL32(00329DAC,?,00303BFB,00329DAC,00000017), ref: 00303AEA
                                                                                              • GetCurrentProcess.KERNEL32(C0000409,?,00303BFB,00329DAC,00000017), ref: 00303AF5
                                                                                              • TerminateProcess.KERNEL32(00000000,?,00303BFB,00329DAC,00000017), ref: 00303AFC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionFilterProcessUnhandled$CurrentTerminate
                                                                                              • String ID:
                                                                                              • API String ID: 3231755760-0
                                                                                              • Opcode ID: fcbaa4f41c2dd34e27bdebbe1ca69182b5049e28cf5f1239621c10c859604d50
                                                                                              • Instruction ID: 8d5e0f513eb9a35f622c901ddc8d233916c031fdb3f5add83a1bdd452cf26d89
                                                                                              • Opcode Fuzzy Hash: fcbaa4f41c2dd34e27bdebbe1ca69182b5049e28cf5f1239621c10c859604d50
                                                                                              • Instruction Fuzzy Hash: D7D00271044104ABD7522BE1ED0FA5D3F2CEF08757F044459F70A85462DB7374669B56
                                                                                              Function 0031EFC0 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00313D25: GetLastError.KERNEL32(?,0030BBE0,00309863,0030BBE0,?,?,00309920,FF8BC35D), ref: 00313D29
                                                                                                • Part of subcall function 00313D25: _free.LIBCMT ref: 00313D5C
                                                                                                • Part of subcall function 00313D25: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D9D
                                                                                                • Part of subcall function 00313D25: _free.LIBCMT ref: 00313D84
                                                                                                • Part of subcall function 00313D25: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D91
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0031F014
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0031F065
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0031F125
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorInfoLastLocale$_free
                                                                                              • String ID:
                                                                                              • API String ID: 2834031935-0
                                                                                              • Opcode ID: 3bdd248b74816293a32d156453a0d3dcb55e6dcd9b959cf8f3a7800ab2bc1bb8
                                                                                              • Instruction ID: fffd6c90ae145daf5c6e0ad966798f49cbb93950042da689017c33cd5d977680
                                                                                              • Opcode Fuzzy Hash: 3bdd248b74816293a32d156453a0d3dcb55e6dcd9b959cf8f3a7800ab2bc1bb8
                                                                                              • Instruction Fuzzy Hash: 72616E71900107EFDB2E9F24CC82BFAB7A8EF0C314F214179E905CA586EB74A995DB50
                                                                                              Function 0031EE94 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00313D25: GetLastError.KERNEL32(?,0030BBE0,00309863,0030BBE0,?,?,00309920,FF8BC35D), ref: 00313D29
                                                                                                • Part of subcall function 00313D25: _free.LIBCMT ref: 00313D5C
                                                                                                • Part of subcall function 00313D25: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D9D
                                                                                              • EnumSystemLocalesW.KERNEL32(0031EFC0,00000001,00000000,?,#1,?,0031F5ED,00000000,?,?,?), ref: 0031EF06
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                              • String ID: #1
                                                                                              • API String ID: 2016158738-189195207
                                                                                              • Opcode ID: ad4e2c8a10baa84977cfe338051ae0d82215ee76eaedd12817ad7414994826b7
                                                                                              • Instruction ID: 0456a7d725499253faf7cad49fcd3f3aed826f812935417fa0b3d2a6fd0e7630
                                                                                              • Opcode Fuzzy Hash: ad4e2c8a10baa84977cfe338051ae0d82215ee76eaedd12817ad7414994826b7
                                                                                              • Instruction Fuzzy Hash: 6611C6362047055FDB1D9F39D8915BABB92FF88358B15482CED4687A40D772B983C750
                                                                                              Function 0031EF2F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00313D25: GetLastError.KERNEL32(?,0030BBE0,00309863,0030BBE0,?,?,00309920,FF8BC35D), ref: 00313D29
                                                                                                • Part of subcall function 00313D25: _free.LIBCMT ref: 00313D5C
                                                                                                • Part of subcall function 00313D25: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D9D
                                                                                              • EnumSystemLocalesW.KERNEL32(0031F210,00000001,?,?,#1,?,0031F5B1,#1,?,?,?,?,?,003123EB,?,?), ref: 0031EF7B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                              • String ID: #1
                                                                                              • API String ID: 2016158738-189195207
                                                                                              • Opcode ID: 317aa2ea71dcc60f367ab05e1ee767d094a2adbf75da1b975e4692769eef00b4
                                                                                              • Instruction ID: a0ff9d9e7fac10e6efa39030a5fc5c6c342ecfd42448ef81cf35587cd56ee760
                                                                                              • Opcode Fuzzy Hash: 317aa2ea71dcc60f367ab05e1ee767d094a2adbf75da1b975e4692769eef00b4
                                                                                              • Instruction Fuzzy Hash: 84F0FC3A3043055FDB1A9F359C91AB67B95EF84368F06442CFD468B640D672EC838740
                                                                                              Function 003154CF Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00311E49,?,00000004), ref: 00315522
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: InfoLocale
                                                                                              • String ID: GetLocaleInfoEx
                                                                                              • API String ID: 2299586839-2904428671
                                                                                              • Opcode ID: 2063d41b4466fa356a749d39a517ebc9c0b608fb8452ab55dd6845437e39d18e
                                                                                              • Instruction ID: bd5434738f067ee15809fe7d130ea73a8350d17e6b7bba6c94524ad0aa682689
                                                                                              • Opcode Fuzzy Hash: 2063d41b4466fa356a749d39a517ebc9c0b608fb8452ab55dd6845437e39d18e
                                                                                              • Instruction Fuzzy Hash: 17F09031A51218FBCB176F60EC06EAE7B6AEF49B10F105019F8056A291CA719E609BD5
                                                                                              Function 0031F210 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00313D25: GetLastError.KERNEL32(?,0030BBE0,00309863,0030BBE0,?,?,00309920,FF8BC35D), ref: 00313D29
                                                                                                • Part of subcall function 00313D25: _free.LIBCMT ref: 00313D5C
                                                                                                • Part of subcall function 00313D25: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D9D
                                                                                                • Part of subcall function 00313D25: _free.LIBCMT ref: 00313D84
                                                                                                • Part of subcall function 00313D25: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D91
                                                                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0031F264
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free$InfoLocale
                                                                                              • String ID:
                                                                                              • API String ID: 2955987475-0
                                                                                              • Opcode ID: 829aaa431d52b1b54a9fc071895b2648c16118de87ec0a3f5e37ad369b4aa2ee
                                                                                              • Instruction ID: d68c87eef1dfab44ef0de0870c41f2683442cbb486e8b9980304e7c7036e869c
                                                                                              • Opcode Fuzzy Hash: 829aaa431d52b1b54a9fc071895b2648c16118de87ec0a3f5e37ad369b4aa2ee
                                                                                              • Instruction Fuzzy Hash: 7E21B33A90010AAFDB2E9E24DC42BFA73ACEF49310F10457AED01DA181EB75AD81D750
                                                                                              Function 0031F440 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00313D25: GetLastError.KERNEL32(?,0030BBE0,00309863,0030BBE0,?,?,00309920,FF8BC35D), ref: 00313D29
                                                                                                • Part of subcall function 00313D25: _free.LIBCMT ref: 00313D5C
                                                                                                • Part of subcall function 00313D25: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D9D
                                                                                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0031F1DE,00000000,00000000,?), ref: 0031F46C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$InfoLocale_free
                                                                                              • String ID:
                                                                                              • API String ID: 787680540-0
                                                                                              • Opcode ID: a1bf83eebbf893d151bfa374782595f622d3f1d5adb19f45ec82ab878f887df7
                                                                                              • Instruction ID: aaae70cf9156cca7aa979363ed2067e600dd8f2c99a7ba65d424ebff9efbed92
                                                                                              • Opcode Fuzzy Hash: a1bf83eebbf893d151bfa374782595f622d3f1d5adb19f45ec82ab878f887df7
                                                                                              • Instruction Fuzzy Hash: B5F0F936500115AFDB2D9A668C06BFB7768EF48324F064539EC46A3140EE74BD81C690
                                                                                              Function 00314FE6 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0030E8E1: EnterCriticalSection.KERNEL32(-00035119,?,003109CA,00000000,0033A690,0000000C,00310985,?,?,?,00314F6F,?,?,00313DDA), ref: 0030E8F0
                                                                                              • EnumSystemLocalesW.KERNEL32(00314FA0,00000001,0033A818,0000000C), ref: 0031501E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                              • String ID:
                                                                                              • API String ID: 1272433827-0
                                                                                              • Opcode ID: 5bea490e45802874e88aa02b83d95a050e62f7126339fc1203a93a9cc683ddf7
                                                                                              • Instruction ID: a0d597ceea4089787f5700e3814787cc515307dac39eb1c56db9031069ffc9dd
                                                                                              • Opcode Fuzzy Hash: 5bea490e45802874e88aa02b83d95a050e62f7126339fc1203a93a9cc683ddf7
                                                                                              • Instruction Fuzzy Hash: BAF06272A50300EFDB16EF68D886B9D77A0EB08720F108015F510DF2E1C7B599818B51
                                                                                              Function 0031EE49 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00313D25: GetLastError.KERNEL32(?,0030BBE0,00309863,0030BBE0,?,?,00309920,FF8BC35D), ref: 00313D29
                                                                                                • Part of subcall function 00313D25: _free.LIBCMT ref: 00313D5C
                                                                                                • Part of subcall function 00313D25: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D9D
                                                                                              • EnumSystemLocalesW.KERNEL32(0031EDA0,00000001,?,?,?,0031F60F,#1,?,?,?,?,?,003123EB,?,?,?), ref: 0031EE80
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$EnumLocalesSystem_free
                                                                                              • String ID:
                                                                                              • API String ID: 2016158738-0
                                                                                              • Opcode ID: 19db39abc083c6270c1bcd34357b5d4427175898e6a1e9dd92e5566b0d5c0838
                                                                                              • Instruction ID: 28d7735d2aa6227938757de9d37a2d2b378384becee65c2a10f5720bc8642c3e
                                                                                              • Opcode Fuzzy Hash: 19db39abc083c6270c1bcd34357b5d4427175898e6a1e9dd92e5566b0d5c0838
                                                                                              • Instruction Fuzzy Hash: 08F02B3A30020557CB1A9F39E855AEBBF95EFC5720F47445CEE058B251C672A9C3C7A0
                                                                                              Function 002FF82D Relevance: 37.0, APIs: 16, Strings: 5, Instructions: 258memorystringCOMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 971 2ff82d-2ff847 call 304585 974 2ff84d-2ff84f 971->974 975 2ffb16 971->975 974->975 977 2ff855-2ff85e 974->977 976 2ffb1b-2ffb20 call 30452f 975->976 979 2ff861-2ff869 977->979 979->979 981 2ff86b-2ff893 979->981 982 2ff895 981->982 983 2ff8b1-2ff8b3 981->983 985 2ff89c-2ff8a8 CoTaskMemAlloc 982->985 986 2ff897-2ff89a 982->986 984 2ff8b6-2ff8bb 983->984 987 2ffb04 984->987 988 2ff8c1-2ff8df 984->988 985->984 989 2ff8aa-2ff8af 985->989 986->983 986->985 990 2ffb09-2ffb14 CoTaskMemFree 987->990 991 2ffaf7-2ffb02 988->991 992 2ff8e5-2ff8ec 988->992 989->984 990->976 991->990 993 2ff8f3-2ff8f9 992->993 994 2ff8ff-2ff901 993->994 995 2ff9e1-2ff9e9 993->995 998 2ff959-2ff961 994->998 999 2ff903-2ff912 call 305277 994->999 996 2ff9ef-2ff9fb CharNextW 995->996 997 2ffabb-2ffac8 call 2ff797 995->997 996->997 1000 2ffa01-2ffa0f call 2ffb23 996->1000 997->987 1017 2ffaca-2ffad9 CharNextW 997->1017 1003 2ff99e-2ff9a0 998->1003 1004 2ff963-2ff965 998->1004 1014 2ff956 999->1014 1015 2ff914-2ff916 999->1015 1019 2ffae9-2ffaee 1000->1019 1020 2ffa15-2ffa1e 1000->1020 1003->995 1009 2ff9a2-2ff9b9 1003->1009 1005 2ff96d-2ff977 CharNextW 1004->1005 1006 2ff967-2ff96b 1004->1006 1011 2ff97e-2ff995 CharNextW call 2ff797 1005->1011 1012 2ff979-2ff97c 1005->1012 1006->995 1009->995 1016 2ff9bb-2ff9c1 1009->1016 1011->987 1029 2ff99b 1011->1029 1012->1009 1014->998 1015->1014 1021 2ff918-2ff94c CharNextW * 4 call 2ff6d2 1015->1021 1016->995 1022 2ff9c3-2ff9c7 1016->1022 1017->991 1023 2ffadb-2ffae4 1017->1023 1019->990 1025 2ffa24-2ffa56 call 30bf3c call 2f1eda EnterCriticalSection 1020->1025 1026 2ffaf0-2ffaf5 1020->1026 1021->987 1034 2ff952 1021->1034 1022->995 1028 2ff9c9-2ff9d8 call 2ff6d2 1022->1028 1023->993 1039 2ffa58-2ffa6c lstrcmpiW 1025->1039 1040 2ffa74 1025->1040 1026->990 1028->987 1037 2ff9de 1028->1037 1029->1003 1034->1014 1037->995 1041 2ffa6e-2ffa72 1039->1041 1042 2ffa77-2ffa7a 1039->1042 1040->1042 1041->1039 1041->1040 1043 2ffa7c-2ffa7e 1042->1043 1044 2ffa80-2ffa88 call 2ff6ac 1042->1044 1046 2ffa8a-2ffa95 LeaveCriticalSection 1043->1046 1044->1046 1046->1019 1048 2ffa97-2ffaa2 call 2ff6d2 1046->1048 1048->987 1051 2ffaa4-2ffaa9 1048->1051 1051->1017 1052 2ffaab-2ffab7 CharNextW 1051->1052 1052->1052 1053 2ffab9 1052->1053 1053->1017
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002FF834
                                                                                              • CoTaskMemAlloc.OLE32(?,00000070,00300C00,?,00000000,00000000,00000000), ref: 002FF89D
                                                                                              • _wcsstr.LIBVCRUNTIME ref: 002FF909
                                                                                              • CharNextW.USER32(?), ref: 002FF91A
                                                                                              • CharNextW.USER32(00000000), ref: 002FF923
                                                                                              • CharNextW.USER32(00000000), ref: 002FF92C
                                                                                              • CharNextW.USER32(00000000), ref: 002FF935
                                                                                              • CharNextW.USER32(?), ref: 002FF96E
                                                                                              • CharNextW.USER32(?), ref: 002FF980
                                                                                              • CharNextW.USER32(00000000,}}), ref: 002FF9F0
                                                                                              • EnterCriticalSection.KERNEL32(00000011,?,?,?,?,?,00300EAF,00000000,?), ref: 002FFA45
                                                                                              • lstrcmpiW.KERNEL32(?,?,?,?,?,?,?,00300EAF,00000000,?), ref: 002FFA61
                                                                                              • LeaveCriticalSection.KERNEL32(?,00000000,?,?,?,?,?,00300EAF,00000000,?), ref: 002FFA8D
                                                                                              • CharNextW.USER32(?,00000000,?,?,?,?,?,00300EAF,00000000,?), ref: 002FFAAD
                                                                                              • CharNextW.USER32(?,00000000,00000001,00000070,00300C00,?,00000000,00000000,00000000), ref: 002FFACC
                                                                                                • Part of subcall function 002FF797: CoTaskMemRealloc.OLE32(?,?,00000002,?,?,002FF710,00000000,-00000002,00000008,C000008C,00000001,?,002FF366,00000000,00000010,00000000), ref: 002FF7DB
                                                                                              • CoTaskMemFree.OLE32(?,00000070,00300C00,?,00000000,00000000,00000000), ref: 002FFB0C
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: CharNext$Task$CriticalSection$AllocEnterFreeH_prolog3_LeaveRealloc_wcsstrlstrcmpi
                                                                                              • String ID: }}$%$'$HKCR$HKCU{Software{Classes
                                                                                              • API String ID: 2038073834-792530599
                                                                                              • Opcode ID: 76b6e692f4e264ff667a6ac5b710043190abea2873169a1e9c247df4bf5a5ac9
                                                                                              • Instruction ID: f20b923b17362f23e0527a7f7bd29f61a9ba68a423a2fe9ea3b1f58d046b4c76
                                                                                              • Opcode Fuzzy Hash: 76b6e692f4e264ff667a6ac5b710043190abea2873169a1e9c247df4bf5a5ac9
                                                                                              • Instruction Fuzzy Hash: AB918071A1034ADFDF619FA4CA556BDFBB4BF08784F244139EA06AB291E7719C60CB40
                                                                                              Function 002FA2BE Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 168registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002FA2C8
                                                                                              • GetCurrentProcess.KERNEL32 ref: 002FA30A
                                                                                              • IsWow64Process.KERNEL32(00000000), ref: 002FA311
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Citrix\PortICA,00000000,00020019,?), ref: 002FA337
                                                                                                • Part of subcall function 002F9BDF: __EH_prolog3.LIBCMT ref: 002F9BE6
                                                                                                • Part of subcall function 002FA168: __EH_prolog3.LIBCMT ref: 002FA16F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3Process$CurrentH_prolog3_OpenWow64
                                                                                              • String ID: IsWVDEnvironment$PorticaV2$SOFTWARE\Citrix\PortICA$SOFTWARE\Microsoft\Teams$citrix-xen-app$citrix-xen-desktop$none$vmware$wvd
                                                                                              • API String ID: 3725901634-4114808235
                                                                                              • Opcode ID: 6021e40172841baea18f8c408ecb61330e405339b7e5c79bd350c007cd4cd159
                                                                                              • Instruction ID: 909afc1d1b4f3b09354105dacc2417d0eac52bfd0c1905812624b890b7c7f7cd
                                                                                              • Opcode Fuzzy Hash: 6021e40172841baea18f8c408ecb61330e405339b7e5c79bd350c007cd4cd159
                                                                                              • Instruction Fuzzy Hash: 8C614B74D1134CAEDB21DFA4C986BEDFBB4AF05344F50806EE6096B282DB705A58CF51
                                                                                              Function 0030E2E0 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$Info
                                                                                              • String ID:
                                                                                              • API String ID: 2509303402-0
                                                                                              • Opcode ID: c1fc73643bf6d4f772df609ab2e614ee18adedf5d02d18f44cd6f5885435ef99
                                                                                              • Instruction ID: 12b0a0eebf831a5d47dc5f4cd63108f3df1264f8be2b26a848c9c8e45d27cd82
                                                                                              • Opcode Fuzzy Hash: c1fc73643bf6d4f772df609ab2e614ee18adedf5d02d18f44cd6f5885435ef99
                                                                                              • Instruction Fuzzy Hash: 68B1C171A013059FDB22DFB8C891BEEBBF4BF09304F154829F455AB292DB35A941CB60
                                                                                              Function 00300D30 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 119libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_catch_GS.LIBCMT ref: 00300D3A
                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000060,@q3,Module,?), ref: 00300D85
                                                                                              • LoadLibraryExW.KERNEL32(?,00000000,00000002), ref: 00300D9B
                                                                                              • FindResourceW.KERNEL32(00000000,?,?), ref: 00300DC6
                                                                                              • LoadResource.KERNEL32(00000000,00000000), ref: 00300DDE
                                                                                              • SizeofResource.KERNEL32(00000000,00000000), ref: 00300DF0
                                                                                                • Part of subcall function 002F1D87: GetLastError.KERNEL32(002F14BA), ref: 002F1D87
                                                                                              • FreeLibrary.KERNEL32(00000000), ref: 00300EB6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoadResource$ErrorFindFreeH_prolog3_catch_LastSizeof
                                                                                              • String ID: @q3$Module$Module_Raw$REGISTRY
                                                                                              • API String ID: 1818814483-546855824
                                                                                              • Opcode ID: 46b98873cca5484a12e9e8b7c106265e6833d111afdd965dfce388717a82c672
                                                                                              • Instruction ID: c2f5ea4ed3e874ede10cdd048c13cd9060bf5d807240f97b0eb07c61435d4f5f
                                                                                              • Opcode Fuzzy Hash: 46b98873cca5484a12e9e8b7c106265e6833d111afdd965dfce388717a82c672
                                                                                              • Instruction Fuzzy Hash: D841C7B1A02219DFCB27DF54CC55BAE7AB8EF48750F5044A9F609B6292DB308E50CF58
                                                                                              Function 002FC783 Relevance: 21.1, APIs: 2, Strings: 10, Instructions: 96registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • RegGetValueW.ADVAPI32(80000002,Software\Policies\Microsoft\Office\16.0\Teams,AllowMsiOverride,00000010,?,00000000,?,00000400,?,00000000), ref: 002FC7D4
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000400,?,00000000), ref: 002FC808
                                                                                                • Part of subcall function 002FC498: GetFileVersionInfoSizeExW.VERSION(00000002,?,?,?,?,?,?,?,?,?,002FC83B,?,00000000), ref: 002FC4BF
                                                                                                • Part of subcall function 002FC498: GetFileVersionInfoExW.VERSION(00000002,?,00000000,?,?,00000000,00000000,?,?,?,?,?,?,002FC83B,?,00000000), ref: 002FC4F3
                                                                                                • Part of subcall function 002FC498: VerQueryValueW.VERSION(?,00335EE8,?,?,?,?,?,?,?,?,002FC83B,?,00000000), ref: 002FC511
                                                                                              Strings
                                                                                              • entered MsiOverride mode, xrefs: 002FC7ED
                                                                                              • AllowMsiOverride, xrefs: 002FC7C3
                                                                                              • could not get the Setup version - skipping installation, xrefs: 002FC83F
                                                                                              • Software\Policies\Microsoft\Office\16.0\Teams, xrefs: 002FC7C8
                                                                                              • Setup version is , xrefs: 002FC84C
                                                                                              • Setup version is newer, re-installing Teams from the machine-wide installer..., xrefs: 002FC8BA
                                                                                              • could not get the full path of the Setup file - skipping installation, xrefs: 002FC812
                                                                                              • the version of the Setup file is invalid - skipping installation, xrefs: 002FC86A
                                                                                              • The app version already installed is not older than the setup version, skipping installation, xrefs: 002FC8B0
                                                                                              • App version is , xrefs: 002FC890
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$InfoValueVersion$ModuleNameQuerySize
                                                                                              • String ID: AllowMsiOverride$App version is $Setup version is $Setup version is newer, re-installing Teams from the machine-wide installer...$Software\Policies\Microsoft\Office\16.0\Teams$The app version already installed is not older than the setup version, skipping installation$could not get the Setup version - skipping installation$could not get the full path of the Setup file - skipping installation$entered MsiOverride mode$the version of the Setup file is invalid - skipping installation
                                                                                              • API String ID: 3751987224-1774502221
                                                                                              • Opcode ID: 8f2c0fc23f152f7c84a65385780f3500cebd8fdfbd8f1cf494b0c86084d3b8cc
                                                                                              • Instruction ID: add265c79bf5027b28124078b94993cfc6e25bf9348cf84df00b9d3bd9d36e8d
                                                                                              • Opcode Fuzzy Hash: 8f2c0fc23f152f7c84a65385780f3500cebd8fdfbd8f1cf494b0c86084d3b8cc
                                                                                              • Instruction Fuzzy Hash: 4731A77551021CAADB26EB14CA527F9F3E5FF84380F10C4F9964667181DE705E988FE1
                                                                                              Function 0031E1A1 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___free_lconv_mon.LIBCMT ref: 0031E1E5
                                                                                                • Part of subcall function 0031D518: _free.LIBCMT ref: 0031D535
                                                                                                • Part of subcall function 0031D518: _free.LIBCMT ref: 0031D547
                                                                                                • Part of subcall function 0031D518: _free.LIBCMT ref: 0031D559
                                                                                                • Part of subcall function 0031D518: _free.LIBCMT ref: 0031D56B
                                                                                                • Part of subcall function 0031D518: _free.LIBCMT ref: 0031D57D
                                                                                                • Part of subcall function 0031D518: _free.LIBCMT ref: 0031D58F
                                                                                                • Part of subcall function 0031D518: _free.LIBCMT ref: 0031D5A1
                                                                                                • Part of subcall function 0031D518: _free.LIBCMT ref: 0031D5B3
                                                                                                • Part of subcall function 0031D518: _free.LIBCMT ref: 0031D5C5
                                                                                                • Part of subcall function 0031D518: _free.LIBCMT ref: 0031D5D7
                                                                                                • Part of subcall function 0031D518: _free.LIBCMT ref: 0031D5E9
                                                                                                • Part of subcall function 0031D518: _free.LIBCMT ref: 0031D5FB
                                                                                                • Part of subcall function 0031D518: _free.LIBCMT ref: 0031D60D
                                                                                              • _free.LIBCMT ref: 0031E1DA
                                                                                                • Part of subcall function 00313E7A: HeapFree.KERNEL32(00000000,00000000,?,0031DC9A,?,00000000,?,00000000,?,0031DF3E,?,00000007,?,?,0031E339,?), ref: 00313E90
                                                                                                • Part of subcall function 00313E7A: GetLastError.KERNEL32(?,?,0031DC9A,?,00000000,?,00000000,?,0031DF3E,?,00000007,?,?,0031E339,?,?), ref: 00313EA2
                                                                                              • _free.LIBCMT ref: 0031E1FC
                                                                                              • _free.LIBCMT ref: 0031E211
                                                                                              • _free.LIBCMT ref: 0031E21C
                                                                                              • _free.LIBCMT ref: 0031E23E
                                                                                              • _free.LIBCMT ref: 0031E251
                                                                                              • _free.LIBCMT ref: 0031E25F
                                                                                              • _free.LIBCMT ref: 0031E26A
                                                                                              • _free.LIBCMT ref: 0031E2A2
                                                                                              • _free.LIBCMT ref: 0031E2A9
                                                                                              • _free.LIBCMT ref: 0031E2C6
                                                                                              • _free.LIBCMT ref: 0031E2DE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                                              • String ID:
                                                                                              • API String ID: 161543041-0
                                                                                              • Opcode ID: 5040f83532c9cd639499fc992520c55f52643c2c325186368a2327272bf86f9e
                                                                                              • Instruction ID: 6178e238d389cb92c1666307ec7fb5b737671b0ae5a8d832481011d12d9bec9e
                                                                                              • Opcode Fuzzy Hash: 5040f83532c9cd639499fc992520c55f52643c2c325186368a2327272bf86f9e
                                                                                              • Instruction Fuzzy Hash: E4315E329003059FEB3AAA78D845BD677E9FF09310F124819F859DB2A1DB72ADC18760
                                                                                              Function 0031D620 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID:
                                                                                              • API String ID: 269201875-0
                                                                                              • Opcode ID: 2a4eef5ac9ce313d1318c1bbe3c6e743885671bd2803b1d355db51dcba02828e
                                                                                              • Instruction ID: 1e9ca6049230e771c30a63795ea6eeee440a3d16b3de3e58a2698f4802da9eef
                                                                                              • Opcode Fuzzy Hash: 2a4eef5ac9ce313d1318c1bbe3c6e743885671bd2803b1d355db51dcba02828e
                                                                                              • Instruction Fuzzy Hash: 3DC13376D40204AFDB25DFA8CC42FEE77F8AB4D710F154565FA04FB282D6709A8197A0
                                                                                              Function 00300531 Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 462stringregistryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 003003E6: CharNextW.USER32(00000000,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 0030041B
                                                                                                • Part of subcall function 003003E6: CharNextW.USER32(00000000,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 0030043A
                                                                                                • Part of subcall function 003003E6: CharNextW.USER32(00000027,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 00300450
                                                                                                • Part of subcall function 003003E6: CharNextW.USER32(00000027,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 0030045B
                                                                                                • Part of subcall function 003003E6: CharNextW.USER32(?,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 003004B8
                                                                                              • lstrcmpiW.KERNEL32(?,Delete,?,389D5262,?,00000000,00000000,?,003252D6,000000FF,?,00300CE1,?,00000000,00000000,00000000), ref: 003005C8
                                                                                              • lstrcmpiW.KERNEL32(?,ForceRemove,?,00000000,00000000,?,003252D6,000000FF,?,00300CE1,?,00000000,00000000,00000000,?), ref: 003005D9
                                                                                              • lstrcmpiW.KERNEL32(?,NoRemove,?,?,00000000,00000000,?,003252D6,000000FF,?,00300CE1,?,00000000,00000000,00000000,?), ref: 003006B7
                                                                                              • RegDeleteValueW.ADVAPI32(?,?,?,00000000,00020006), ref: 003007F6
                                                                                              • RegCloseKey.ADVAPI32(?,?,?,?), ref: 00300A32
                                                                                                • Part of subcall function 003002A6: RegQueryInfoKeyW.ADVAPI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00300A23), ref: 003002CC
                                                                                                • Part of subcall function 0030019C: lstrcmpiW.KERNEL32(?,003374F0,00000000,?,003009EC,?,?,?,?), ref: 003001AA
                                                                                                • Part of subcall function 003001CB: RegEnumKeyExW.ADVAPI32(?,00000000,?,00000100,00000000,00000000,00000000,?,?,?,?,00000002,00000000,?), ref: 00300254
                                                                                                • Part of subcall function 003001CB: RegCloseKey.ADVAPI32(?), ref: 0030026C
                                                                                              • lstrcmpiW.KERNEL32(?,Val,?,00000000,00000000,?,003252D6,000000FF,?,00300CE1,?,00000000,00000000,00000000,?), ref: 003006E5
                                                                                                • Part of subcall function 002F2397: RegCloseKey.ADVAPI32(?,80000002,002F2375,?,?,?,?,?,002F1253,80000002,SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full), ref: 002F23A2
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: CharNextlstrcmpi$Close$DeleteEnumInfoQueryValue
                                                                                              • String ID: Delete$ForceRemove$NoRemove$Val
                                                                                              • API String ID: 3404352402-1781481701
                                                                                              • Opcode ID: 9993f951702a41afe0a079b2701ef3370af25c027c332d8780ebef12c4983730
                                                                                              • Instruction ID: a6535cc2a5f4862485f88717ce5d4d1f9428a02cbb043343bb578456df48f6d6
                                                                                              • Opcode Fuzzy Hash: 9993f951702a41afe0a079b2701ef3370af25c027c332d8780ebef12c4983730
                                                                                              • Instruction Fuzzy Hash: 5EF1A771D02629ABCF3F9B648C69BAEB3B5AF44344F0141E5E905A71D0EB349E85CF90
                                                                                              Function 00321FBA Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00321C88: CreateFileW.KERNEL32(00000000,?,?,c 2,?,?,00000000,?,00322063,00000000,0000000C), ref: 00321CA5
                                                                                              • GetLastError.KERNEL32 ref: 003220CE
                                                                                              • __dosmaperr.LIBCMT ref: 003220D5
                                                                                              • GetFileType.KERNEL32(00000000), ref: 003220E1
                                                                                              • GetLastError.KERNEL32 ref: 003220EB
                                                                                              • __dosmaperr.LIBCMT ref: 003220F4
                                                                                              • CloseHandle.KERNEL32(00000000), ref: 00322114
                                                                                              • CloseHandle.KERNEL32(?), ref: 0032225E
                                                                                              • GetLastError.KERNEL32 ref: 00322290
                                                                                              • __dosmaperr.LIBCMT ref: 00322297
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                              • String ID: H
                                                                                              • API String ID: 4237864984-2852464175
                                                                                              • Opcode ID: 38c6f19e275d069d371cddb751f1941552e526185df3e20d6c094a33401956e5
                                                                                              • Instruction ID: 028dacf53dd97cdfc63e180d375a09738c1460b5bbbd423bbb0a058ec1058208
                                                                                              • Opcode Fuzzy Hash: 38c6f19e275d069d371cddb751f1941552e526185df3e20d6c094a33401956e5
                                                                                              • Instruction Fuzzy Hash: 36A12532A141649FDF1A9FA8EC92BAE7BA5AB06324F140159F811AF2D1CB319812CB51
                                                                                              Function 0030C322 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(337E0000,00000000,?,000000FF,00000000,00000000,?,?,?,?,002F9DE7,?,00000032,%Y-%m-%d %H:%M:%S> ,00000000,002FC7FA), ref: 0030C37A
                                                                                              • GetLastError.KERNEL32(?,?,?,002F9DE7,?,00000032,%Y-%m-%d %H:%M:%S> ,00000000,002FC7FA,?,00000000), ref: 0030C387
                                                                                              • __dosmaperr.LIBCMT ref: 0030C38E
                                                                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,?,00000000,?,?,?,002F9DE7,?,00000032,%Y-%m-%d %H:%M:%S> ,00000000,002FC7FA), ref: 0030C3BA
                                                                                              • GetLastError.KERNEL32(?,?,?,002F9DE7,?,00000032,%Y-%m-%d %H:%M:%S> ,00000000,002FC7FA,?,00000000), ref: 0030C3C4
                                                                                              • __dosmaperr.LIBCMT ref: 0030C3CB
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,?,00000032,00000000,00000000,?,?,?,?,?,?,?,002F9DE7), ref: 0030C40E
                                                                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?,002F9DE7,?,00000032,%Y-%m-%d %H:%M:%S> ,00000000,002FC7FA,?,00000000), ref: 0030C418
                                                                                              • __dosmaperr.LIBCMT ref: 0030C41F
                                                                                              • _free.LIBCMT ref: 0030C42B
                                                                                              • _free.LIBCMT ref: 0030C432
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                                                              • String ID:
                                                                                              • API String ID: 2441525078-0
                                                                                              • Opcode ID: f4cf5616630c754302979bf24d43b9f0c229efea099740ec5abb769e5f6d0781
                                                                                              • Instruction ID: e0ba9fd7eb1df0661e55d937ac1be7c6fcb4025f9f4b11a867ab779053c39630
                                                                                              • Opcode Fuzzy Hash: f4cf5616630c754302979bf24d43b9f0c229efea099740ec5abb769e5f6d0781
                                                                                              • Instruction Fuzzy Hash: EB31B17641620AEFDF139FA5DC669AF7B7CFF08320B114258F8145A2D1DA318D51DBA0
                                                                                              Function 002F5DC1 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 212filetimeCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • wsprintfW.USER32 ref: 002F5F39
                                                                                              • wsprintfW.USER32 ref: 002F5F58
                                                                                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000010,00000000), ref: 002F5F87
                                                                                              • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 002F6005
                                                                                              • SetFileTime.KERNEL32(?,?,?,?), ref: 002F6045
                                                                                              • CloseHandle.KERNEL32(?), ref: 002F6058
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: File$wsprintf$CloseCreateHandleTimeWrite
                                                                                              • String ID: %s%s$%s%s%s$:
                                                                                              • API String ID: 1593831391-3034790606
                                                                                              • Opcode ID: ed4c0ab1ef3d381ea04e823aeba9d7a67594850c9ab9d517530a1b6bb6659ba8
                                                                                              • Instruction ID: e0f8532af25606478209621e9ebae3c78c78721a5b7fed93be18d86b2a907130
                                                                                              • Opcode Fuzzy Hash: ed4c0ab1ef3d381ea04e823aeba9d7a67594850c9ab9d517530a1b6bb6659ba8
                                                                                              • Instruction Fuzzy Hash: E371B571A20A2D9BDB349F14CC85BBAF3B9FF44380F1045B9E75A97181DB709EA18B50
                                                                                              Function 002F9D9D Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002F9DA7
                                                                                              • _strftime.LIBCMT ref: 002F9DE2
                                                                                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 002F9F21
                                                                                                • Part of subcall function 00303F3A: EnterCriticalSection.KERNEL32(0033DCF4,00000000,?,?,002F9E0A,0033E65C,?,?,?,?,002FC7FA,?,00000000), ref: 00303F45
                                                                                                • Part of subcall function 00303F3A: LeaveCriticalSection.KERNEL32(0033DCF4,?,?,002F9E0A,0033E65C,?,?,?,?,002FC7FA,?,00000000), ref: 00303F82
                                                                                                • Part of subcall function 002F9C99: __EH_prolog3_GS.LIBCMT ref: 002F9CA3
                                                                                                • Part of subcall function 00304297: __onexit.LIBCMT ref: 0030429D
                                                                                                • Part of subcall function 00303EF0: EnterCriticalSection.KERNEL32(0033DCF4,?,?,002F9E31,0033E65C,?,?,?,?,002FC7FA,?,00000000), ref: 00303EFA
                                                                                                • Part of subcall function 00303EF0: LeaveCriticalSection.KERNEL32(0033DCF4,?,?,002F9E31,0033E65C,?,?,?,?,002FC7FA,?,00000000), ref: 00303F2D
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$EnterH_prolog3_Leave$Ios_base_dtor__onexit_strftimestd::ios_base::_
                                                                                              • String ID: v2$%Y-%m-%d %H:%M:%S> $Setup: $\3$`3$h3
                                                                                              • API String ID: 980613400-3686900696
                                                                                              • Opcode ID: 22b93a8e1c8766826706b0d1c4b56eb5994a6632be0c580fdb410241b4456033
                                                                                              • Instruction ID: 0255dec586ca8fcc99d6600ec9ab810033768dc0909066ce1646d0e00efdacd2
                                                                                              • Opcode Fuzzy Hash: 22b93a8e1c8766826706b0d1c4b56eb5994a6632be0c580fdb410241b4456033
                                                                                              • Instruction Fuzzy Hash: 4B418375A1020C9FDB12EB64C896FADB7B8BB58744F104569E2099B2C2DB709E85CF10
                                                                                              Function 002FFC40 Relevance: 15.4, APIs: 10, Instructions: 357registrystringCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 003003E6: CharNextW.USER32(00000000,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 0030041B
                                                                                                • Part of subcall function 003003E6: CharNextW.USER32(00000000,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 0030043A
                                                                                                • Part of subcall function 003003E6: CharNextW.USER32(00000027,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 00300450
                                                                                                • Part of subcall function 003003E6: CharNextW.USER32(00000027,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 0030045B
                                                                                                • Part of subcall function 003003E6: CharNextW.USER32(?,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 003004B8
                                                                                              • lstrcmpiW.KERNEL32(?,00337404,?,389D5262,?,00000000,?,?,?,00325296,000000FF,?,003008B6,?,00000000,?), ref: 002FFCBD
                                                                                              • lstrcmpiW.KERNEL32(?,00337408,?,003008B6,?,00000000,?,?,?,?,0002001F,?,00000000,00000000,?,003252D6), ref: 002FFCD7
                                                                                              • CharNextW.USER32(00000000), ref: 002FFE21
                                                                                              • CharNextW.USER32(00000000), ref: 002FFE4B
                                                                                              • RegSetValueExW.ADVAPI32(?,?,00000000,00000007,?,00000000), ref: 002FFEBC
                                                                                              • VarUI4FromStr.OLEAUT32(?,00000000,00000000,?), ref: 002FFEFF
                                                                                              • RegSetValueExW.ADVAPI32(?,?,00000000,00000004,?,00000004,?,003008B6,?,00000000,?,?,?,?,0002001F), ref: 002FFF33
                                                                                                • Part of subcall function 003003E6: CharNextW.USER32(00000000,00000000,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 003004CD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: CharNext$Valuelstrcmpi$From
                                                                                              • String ID:
                                                                                              • API String ID: 806832092-0
                                                                                              • Opcode ID: d14b65bfbdfb8998b1b0eed88fd67949b25f7902534a39c7676dcda320eefea4
                                                                                              • Instruction ID: 482c396a5972c7a294f338c643c05304f13a382ecc730c4bb584e1e6d8e16d9a
                                                                                              • Opcode Fuzzy Hash: d14b65bfbdfb8998b1b0eed88fd67949b25f7902534a39c7676dcda320eefea4
                                                                                              • Instruction Fuzzy Hash: 78D1D171A10218CBDB3A8F24CD59BEDB7B9AF18340F1041BAE709A7291D7709EA5DF50
                                                                                              Function 00313C31 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00313C45
                                                                                                • Part of subcall function 00313E7A: HeapFree.KERNEL32(00000000,00000000,?,0031DC9A,?,00000000,?,00000000,?,0031DF3E,?,00000007,?,?,0031E339,?), ref: 00313E90
                                                                                                • Part of subcall function 00313E7A: GetLastError.KERNEL32(?,?,0031DC9A,?,00000000,?,00000000,?,0031DF3E,?,00000007,?,?,0031E339,?,?), ref: 00313EA2
                                                                                              • _free.LIBCMT ref: 00313C51
                                                                                              • _free.LIBCMT ref: 00313C5C
                                                                                              • _free.LIBCMT ref: 00313C67
                                                                                              • _free.LIBCMT ref: 00313C72
                                                                                              • _free.LIBCMT ref: 00313C7D
                                                                                              • _free.LIBCMT ref: 00313C88
                                                                                              • _free.LIBCMT ref: 00313C93
                                                                                              • _free.LIBCMT ref: 00313C9E
                                                                                              • _free.LIBCMT ref: 00313CAC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: c024f113f6603b7dc2d82f7afe9482a52e8756ed9148d3a57e9d7462ef7d1f8b
                                                                                              • Instruction ID: cf1ee2ebc4935c2d4a9ce3b2b4f39303237b1d5b0b13310de2f4a0dda868384e
                                                                                              • Opcode Fuzzy Hash: c024f113f6603b7dc2d82f7afe9482a52e8756ed9148d3a57e9d7462ef7d1f8b
                                                                                              • Instruction Fuzzy Hash: 8B118976510208FFDB0AEF95C952DD93F65EF08390B5180A5F9084F232D631DF919B90
                                                                                              Function 003166B8 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,00316E2D,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 003166FA
                                                                                              • __fassign.LIBCMT ref: 00316775
                                                                                              • __fassign.LIBCMT ref: 00316790
                                                                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 003167B6
                                                                                              • WriteFile.KERNEL32(?,FF8BC35D,00000000,-n1,00000000,?,?,?,?,?,?,?,?,?,00316E2D,?), ref: 003167D5
                                                                                              • WriteFile.KERNEL32(?,?,00000001,-n1,00000000,?,?,?,?,?,?,?,?,?,00316E2D,?), ref: 0031680E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                              • String ID: -n1
                                                                                              • API String ID: 1324828854-1702120114
                                                                                              • Opcode ID: 762e8c54999209e1f7c7280bb804de3ff2d88eb0d3b67111f1e61661ddccb197
                                                                                              • Instruction ID: 0cf0a0caee004c17b911f011606353052f96a1aad691226576cc5d70b149fffe
                                                                                              • Opcode Fuzzy Hash: 762e8c54999209e1f7c7280bb804de3ff2d88eb0d3b67111f1e61661ddccb197
                                                                                              • Instruction Fuzzy Hash: D3518571E002499FCB15CFE8D896AEEBBF8EF0D300F15455EE955E7291D630A941CB60
                                                                                              Function 00318015 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 46cd3c350f58d6753dc2f1d8b5553ef1aeacef90c009b2cc4e48a3bd7069cc00
                                                                                              • Instruction ID: 6c743555afa80bd1c31af171bb12551a9dadb86c5b12539eafba48561a6f2e91
                                                                                              • Opcode Fuzzy Hash: 46cd3c350f58d6753dc2f1d8b5553ef1aeacef90c009b2cc4e48a3bd7069cc00
                                                                                              • Instruction Fuzzy Hash: F0C1E475D04249AFDB1BDFA8C841BEEBBB4BF1D300F194558E850AB392CB309981CB65
                                                                                              Function 003214C6 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetCPInfo.KERNEL32(?,?), ref: 00321572
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 003215F5
                                                                                              • __alloca_probe_16.LIBCMT ref: 0032162D
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00321688
                                                                                              • __alloca_probe_16.LIBCMT ref: 003216D7
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 0032169F
                                                                                                • Part of subcall function 00313EB4: HeapAlloc.KERNEL32(00000000,?,?,?,00314CCA,00001000,?,?,0030BBE0,?,00309909), ref: 00313EE6
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0032171B
                                                                                              • __freea.LIBCMT ref: 00321746
                                                                                              • __freea.LIBCMT ref: 00321752
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                                                                              • String ID:
                                                                                              • API String ID: 3256262068-0
                                                                                              • Opcode ID: fb3b17dea44b8a58c9599ee3875d653e105df5ebb74289acd8476517e618f1cc
                                                                                              • Instruction ID: 9c82dcaab8eff7f3f16e33d561dd8b14cf6560b55d74af87603a07a4f91667e0
                                                                                              • Opcode Fuzzy Hash: fb3b17dea44b8a58c9599ee3875d653e105df5ebb74289acd8476517e618f1cc
                                                                                              • Instruction Fuzzy Hash: D791FA72E102269EDF228F78EE41EEEBBB99FA9310F254569E805E7140D735DC44CB60
                                                                                              Function 0031CCA3 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                              • String ID:
                                                                                              • API String ID: 1282221369-0
                                                                                              • Opcode ID: 7cf42fa4e466aa6ee63b7874f5a1c590c4aa55f97001e70d2fa08ecc76aa73c3
                                                                                              • Instruction ID: bb7214cb748c0f53251f336a30c47a3a600e76a949e8ed664e1eabc1d2f674fa
                                                                                              • Opcode Fuzzy Hash: 7cf42fa4e466aa6ee63b7874f5a1c590c4aa55f97001e70d2fa08ecc76aa73c3
                                                                                              • Instruction Fuzzy Hash: 39612872D51300AFDB2BAFB4E8917EA7FA8AF0D710F05556DF9449B281D6318981C7A0
                                                                                              Function 00312AF8 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00313D25: GetLastError.KERNEL32(?,0030BBE0,00309863,0030BBE0,?,?,00309920,FF8BC35D), ref: 00313D29
                                                                                                • Part of subcall function 00313D25: _free.LIBCMT ref: 00313D5C
                                                                                                • Part of subcall function 00313D25: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D9D
                                                                                              • _memcmp.LIBVCRUNTIME ref: 00312DA2
                                                                                              • _free.LIBCMT ref: 00312E13
                                                                                              • _free.LIBCMT ref: 00312E2C
                                                                                              • _free.LIBCMT ref: 00312E5E
                                                                                              • _free.LIBCMT ref: 00312E67
                                                                                              • _free.LIBCMT ref: 00312E73
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorLast$_memcmp
                                                                                              • String ID: C
                                                                                              • API String ID: 4275183328-1037565863
                                                                                              • Opcode ID: d48e558289bc6d56cf13e29b2ad415680e97cfda9001ab98766feb7f585f9a88
                                                                                              • Instruction ID: 84987bab3ea49caece7f0152a9db2454d01e433e4266d5e906828a368965c8b0
                                                                                              • Opcode Fuzzy Hash: d48e558289bc6d56cf13e29b2ad415680e97cfda9001ab98766feb7f585f9a88
                                                                                              • Instruction Fuzzy Hash: D0B11A759012199FDB29DF18D884AEEB7B4FF58304F1085AAE949A7350D730AEE0CF90
                                                                                              Function 002F17F0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 71COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ActiveWindow
                                                                                              • String ID: @C3$A reboot is required following .NET installation - reboot then run installer again.$Cancel$Restart Now$Restart System$`D3
                                                                                              • API String ID: 2558294473-1599204401
                                                                                              • Opcode ID: bf78ed15458dd16d4b5209c4bd472e6b6b771d603b8093926830ea662257d063
                                                                                              • Instruction ID: ae802141acab0a47db97e0f5fead5bf91e14f7e295aa4f6ff621ab8ed12a4191
                                                                                              • Opcode Fuzzy Hash: bf78ed15458dd16d4b5209c4bd472e6b6b771d603b8093926830ea662257d063
                                                                                              • Instruction Fuzzy Hash: 09218371D1030DEBEB15DFA4D946AEDF7B8EF04394F60012EA615AB281DB7059248F94
                                                                                              Function 0031994F Relevance: 12.2, APIs: 8, Instructions: 216COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0030B021,0030B021,?,?,?,00319BA0,00000001,00000001,A4E85006), ref: 003199A9
                                                                                              • __alloca_probe_16.LIBCMT ref: 003199E1
                                                                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00319BA0,00000001,00000001,A4E85006,?,?,?), ref: 00319A2F
                                                                                              • __alloca_probe_16.LIBCMT ref: 00319AC6
                                                                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,A4E85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00319B29
                                                                                              • __freea.LIBCMT ref: 00319B36
                                                                                                • Part of subcall function 00313EB4: HeapAlloc.KERNEL32(00000000,?,?,?,00314CCA,00001000,?,?,0030BBE0,?,00309909), ref: 00313EE6
                                                                                              • __freea.LIBCMT ref: 00319B3F
                                                                                              • __freea.LIBCMT ref: 00319B64
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                                                              • String ID:
                                                                                              • API String ID: 2597970681-0
                                                                                              • Opcode ID: 728a492f649c125fd3ecca84a82a0d22e3471e96a781e8cb27c86c5595e70123
                                                                                              • Instruction ID: d4230a98d05e7363ac978a207e37913be57014dfdea9dcbb5b71950d8901130c
                                                                                              • Opcode Fuzzy Hash: 728a492f649c125fd3ecca84a82a0d22e3471e96a781e8cb27c86c5595e70123
                                                                                              • Instruction Fuzzy Hash: 9251C572604216ABDB2B8F64DC91FEB77A9EF48750F15862AFC04DA180EB74DD848660
                                                                                              Function 0031DA50 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID:
                                                                                              • API String ID: 269201875-0
                                                                                              • Opcode ID: 8e652fdde2adac2270169d3f5f63dd103cd1f22e4e9dcd776a453d27cc4cd69a
                                                                                              • Instruction ID: 929eca707b338a39f2dd367cfb7e4072011144b46ab8f172564c39bfddd713fd
                                                                                              • Opcode Fuzzy Hash: 8e652fdde2adac2270169d3f5f63dd103cd1f22e4e9dcd776a453d27cc4cd69a
                                                                                              • Instruction Fuzzy Hash: 4061D036D04205AFDB2ADFA8C841BDABBF4EF4E310F11456AE845EB251D7709D81DBA0
                                                                                              Function 002FF088 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 182COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 002F1CED: InitializeCriticalSectionEx.KERNEL32(00000008,00000000,00000000,00000000,002F1CA4,00000014,002F15FA), ref: 002F1CF3
                                                                                                • Part of subcall function 002F1CED: GetLastError.KERNEL32 ref: 002F1CFD
                                                                                              • GetModuleFileNameW.KERNEL32(002F0000,?,00000104), ref: 002FF14F
                                                                                              • GetModuleHandleW.KERNEL32(00000000), ref: 002FF1A3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: Module$CriticalErrorFileHandleInitializeLastNameSection
                                                                                              • String ID: @q3$Module$Module_Raw$REGISTRY
                                                                                              • API String ID: 3798416324-546855824
                                                                                              • Opcode ID: e4eb4b0de25e6b6ce83408ed2573f3216c90bc6ab43a71b0d1b0b923cf7dc89b
                                                                                              • Instruction ID: cb56f3010e0d4962d6f8ac38919e199b97a88b9f3fda88cb9af2f53750e3c82a
                                                                                              • Opcode Fuzzy Hash: e4eb4b0de25e6b6ce83408ed2573f3216c90bc6ab43a71b0d1b0b923cf7dc89b
                                                                                              • Instruction Fuzzy Hash: FB51C772A1021DDBCB65DF24DD41ABBB3B8AF45340F0400B9EA0A97641EB31AF64CF51
                                                                                              Function 002F9F79 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 155registryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002F9F83
                                                                                              • RegOpenKeyExW.ADVAPI32(80000002,?,00000000), ref: 002F9FD1
                                                                                                • Part of subcall function 002F9BDF: __EH_prolog3.LIBCMT ref: 002F9BE6
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,0h3), ref: 002FA039
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?), ref: 002FA09D
                                                                                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?), ref: 002FA0DA
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: QueryValue$H_prolog3H_prolog3_Open
                                                                                              • String ID: 0h3
                                                                                              • API String ID: 2092072835-3386817595
                                                                                              • Opcode ID: 1768b1f7890c1c76c8baf616c8377d4b6dc042ac13842c58a7bf465e5c955569
                                                                                              • Instruction ID: 8cce7c5deeed0d9e94211896549798ff3aa4d34d8a8876305b5bbf70b0c71f73
                                                                                              • Opcode Fuzzy Hash: 1768b1f7890c1c76c8baf616c8377d4b6dc042ac13842c58a7bf465e5c955569
                                                                                              • Instruction Fuzzy Hash: 155137B191121DAFDB25DF54CC91BEEBBB8BF04344F1041AEE909A6140EB709E95CF51
                                                                                              Function 00307370 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 0030739B
                                                                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 003073A3
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 00307431
                                                                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 0030745C
                                                                                              • _ValidateLocalCookies.LIBCMT ref: 003074B1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                              • String ID: csm
                                                                                              • API String ID: 1170836740-1018135373
                                                                                              • Opcode ID: 062d78ed7d7c8c864c14c75cbfa6d87a8427d6243f975dbfb7335b39c143a576
                                                                                              • Instruction ID: bd0185519e67e7c9016cf512263a0c3fa11340f8fbbac911a43501668f7f694a
                                                                                              • Opcode Fuzzy Hash: 062d78ed7d7c8c864c14c75cbfa6d87a8427d6243f975dbfb7335b39c143a576
                                                                                              • Instruction Fuzzy Hash: 3841D334E062089BCF12DF69C8A0A9EBFB5AF44324F158195E8156B3D2D771EA12CBD0
                                                                                              Function 00323541 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8f1877e4af7324fdcdb79cbf4fb4f813c06f60e1ec057a761a501e2648b7e3fd
                                                                                              • Instruction ID: ebbccf61cc590b2be94d213f9a822b24eb5815d7ee939c60db58f6d6309df2cc
                                                                                              • Opcode Fuzzy Hash: 8f1877e4af7324fdcdb79cbf4fb4f813c06f60e1ec057a761a501e2648b7e3fd
                                                                                              • Instruction Fuzzy Hash: 74113F72506225BFDB236F75AC4AD6B7E6CEF87770B214518F815CB291DE34CA018670
                                                                                              Function 0031DF25 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 0031DC6C: _free.LIBCMT ref: 0031DC95
                                                                                              • _free.LIBCMT ref: 0031DF73
                                                                                                • Part of subcall function 00313E7A: HeapFree.KERNEL32(00000000,00000000,?,0031DC9A,?,00000000,?,00000000,?,0031DF3E,?,00000007,?,?,0031E339,?), ref: 00313E90
                                                                                                • Part of subcall function 00313E7A: GetLastError.KERNEL32(?,?,0031DC9A,?,00000000,?,00000000,?,0031DF3E,?,00000007,?,?,0031E339,?,?), ref: 00313EA2
                                                                                              • _free.LIBCMT ref: 0031DF7E
                                                                                              • _free.LIBCMT ref: 0031DF89
                                                                                              • _free.LIBCMT ref: 0031DFDD
                                                                                              • _free.LIBCMT ref: 0031DFE8
                                                                                              • _free.LIBCMT ref: 0031DFF3
                                                                                              • _free.LIBCMT ref: 0031DFFE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 392242950af421741d6ec7c06f99aff5f8319de47e3e4fd68862a8d369c3b0d0
                                                                                              • Instruction ID: 1a74c85aa26a89adab4171382ee0e94d6e2f7c1d1f8f32d89621c52f9cad93c7
                                                                                              • Opcode Fuzzy Hash: 392242950af421741d6ec7c06f99aff5f8319de47e3e4fd68862a8d369c3b0d0
                                                                                              • Instruction Fuzzy Hash: DC112172940B04BAE93ABBB0DD47FCB7B9C6F0D700F404C15B29A6F652DAB5B58486D0
                                                                                              Function 00301378 Relevance: 10.6, APIs: 7, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 0030137F
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 00301389
                                                                                                • Part of subcall function 002F8FE9: std::_Lockit::_Lockit.LIBCPMT ref: 002F9005
                                                                                                • Part of subcall function 002F8FE9: std::_Lockit::~_Lockit.LIBCPMT ref: 002F9021
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 003013A9
                                                                                              • codecvt.LIBCPMT ref: 003013C3
                                                                                              • std::_Facet_Register.LIBCPMT ref: 003013DA
                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 003013FA
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00301418
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prolog3RegisterThrowcodecvtstd::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 1243920060-0
                                                                                              • Opcode ID: 290f9d2fe931bf1e7b12f3ef9e78065c9cb96f5f4f804e1b649a8a08f93eb7e0
                                                                                              • Instruction ID: 4c4732482c51dc67c60b334ea41ff8e1537fd1633d964562b235ac9421695e35
                                                                                              • Opcode Fuzzy Hash: 290f9d2fe931bf1e7b12f3ef9e78065c9cb96f5f4f804e1b649a8a08f93eb7e0
                                                                                              • Instruction Fuzzy Hash: F11102769015199BCF03EBA4DCAAAFEB779AF44310F150118E5206B2E0DF749E00CB51
                                                                                              Function 0030C470 Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __allrem.LIBCMT ref: 0030C5FD
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0030C619
                                                                                              • __allrem.LIBCMT ref: 0030C630
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0030C64E
                                                                                              • __allrem.LIBCMT ref: 0030C665
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0030C683
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                              • String ID:
                                                                                              • API String ID: 1992179935-0
                                                                                              • Opcode ID: 344e13e0d646384bf59c93829d13ba3ca16e5f113a8bbc9f0cd159909373bd2b
                                                                                              • Instruction ID: df12ec60c44390dc2466a9195707acdd061122aa29fc71a163b1b416257da623
                                                                                              • Opcode Fuzzy Hash: 344e13e0d646384bf59c93829d13ba3ca16e5f113a8bbc9f0cd159909373bd2b
                                                                                              • Instruction Fuzzy Hash: 72815C726127069BE737AF69DC62B6E73A8EF45720F15632AF400DB6C1EB70D9008B50
                                                                                              Function 0030E6A4 Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: __cftoe
                                                                                              • String ID:
                                                                                              • API String ID: 4189289331-0
                                                                                              • Opcode ID: da07be7b7fb4c48eea7960e198992f12825679414824642bc3f9b925da6aeb4b
                                                                                              • Instruction ID: e666b04ec05f2aeeb174f19a06575ab5bb95be5eeaa67a1706fb65e373edc209
                                                                                              • Opcode Fuzzy Hash: da07be7b7fb4c48eea7960e198992f12825679414824642bc3f9b925da6aeb4b
                                                                                              • Instruction Fuzzy Hash: BF512B32A02205EBDB379B68CC55FAE77A9EF4CB20F254519F819AA1D2DB31CD408664
                                                                                              Function 003101BA Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: __freea$__alloca_probe_16
                                                                                              • String ID: a/p$am/pm
                                                                                              • API String ID: 3509577899-3206640213
                                                                                              • Opcode ID: 8c62bebd496d1e74a74c31c196924588611dd1fab3b973cdfce52ed524edf5a3
                                                                                              • Instruction ID: acb62f2c188b4cc680df548d008d63f33a2be68e7e9ecd880b9a34731d3c8ec4
                                                                                              • Opcode Fuzzy Hash: 8c62bebd496d1e74a74c31c196924588611dd1fab3b973cdfce52ed524edf5a3
                                                                                              • Instruction Fuzzy Hash: 81D1DD31904206CBCB2E9F68C995AFEB7B5FF0E300F25415AE941AB654D7B59DC0CBA0
                                                                                              Function 003003E6 Relevance: 9.1, APIs: 6, Instructions: 129COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • CharNextW.USER32(00000000,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 0030041B
                                                                                              • CharNextW.USER32(00000000,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 0030043A
                                                                                              • CharNextW.USER32(00000027,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 00300450
                                                                                              • CharNextW.USER32(00000027,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 0030045B
                                                                                              • CharNextW.USER32(?,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 003004B8
                                                                                              • CharNextW.USER32(00000000,00000000,?,00000000,00000000,?,?,?,00300EAF,00000000,?), ref: 003004CD
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: CharNext
                                                                                              • String ID:
                                                                                              • API String ID: 3213498283-0
                                                                                              • Opcode ID: 23d9bf79735cca3aa7d1c2670e9b4d4b9e6ba437561d9080961df459962ef01d
                                                                                              • Instruction ID: 57f110b36ca53ff6dc7d9d2ec523892d2762d4c609bca322bc5d072ed9aca8e3
                                                                                              • Opcode Fuzzy Hash: 23d9bf79735cca3aa7d1c2670e9b4d4b9e6ba437561d9080961df459962ef01d
                                                                                              • Instruction Fuzzy Hash: BE41F634702202CBCB299F79C8A467AB7B5EF59300F544829E946C7295FB708D91CB14
                                                                                              Function 002F856E Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002F8575
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 002F8582
                                                                                                • Part of subcall function 002F8FE9: std::_Lockit::_Lockit.LIBCPMT ref: 002F9005
                                                                                                • Part of subcall function 002F8FE9: std::_Lockit::~_Lockit.LIBCPMT ref: 002F9021
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 002F85A1
                                                                                              • std::_Facet_Register.LIBCPMT ref: 002F85D0
                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 002F85F0
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 002F860E
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prolog3_RegisterThrowstd::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3429215992-0
                                                                                              • Opcode ID: a2969536613c3aebe9d629a55748e0b7ac10090c6f21ff53e29b5f7fb2fc194b
                                                                                              • Instruction ID: 1d9fe58adfbc7eeeb03dbe470f1b473e8bd6a84e6d7e14da730dcd2a8a21ec7e
                                                                                              • Opcode Fuzzy Hash: a2969536613c3aebe9d629a55748e0b7ac10090c6f21ff53e29b5f7fb2fc194b
                                                                                              • Instruction Fuzzy Hash: 1D11067291011D8BCB02EB64E8569FEF3B99F85360F250069E605BB3D1DF30AE118FA1
                                                                                              Function 002FC2F4 Relevance: 9.1, APIs: 6, Instructions: 66COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002FC2FB
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 002FC308
                                                                                                • Part of subcall function 002F8FE9: std::_Lockit::_Lockit.LIBCPMT ref: 002F9005
                                                                                                • Part of subcall function 002F8FE9: std::_Lockit::~_Lockit.LIBCPMT ref: 002F9021
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 002FC327
                                                                                              • std::_Facet_Register.LIBCPMT ref: 002FC356
                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 002FC376
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 002FC394
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prolog3_RegisterThrowstd::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3429215992-0
                                                                                              • Opcode ID: 198b38d61c27d2b877417b9e7dd9c529ed287ee4faf46528a406298a6e385a60
                                                                                              • Instruction ID: ec7709e2d946c29e4c4265594179da899bcee92dda151a9699e700d6532150e4
                                                                                              • Opcode Fuzzy Hash: 198b38d61c27d2b877417b9e7dd9c529ed287ee4faf46528a406298a6e385a60
                                                                                              • Instruction Fuzzy Hash: A411237690420D9BCB02EFA4D956AFEF7B99F84350F240069E6016B2C1DF309E018BA1
                                                                                              Function 0030753A Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,00307531,00304E4B), ref: 00307548
                                                                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00307556
                                                                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0030756F
                                                                                              • SetLastError.KERNEL32(00000000,?,00307531,00304E4B), ref: 003075C1
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLastValue___vcrt_
                                                                                              • String ID:
                                                                                              • API String ID: 3852720340-0
                                                                                              • Opcode ID: 513487123384b987b46a73d41dd7d3f8dae396f19e83aa108af439660a674e34
                                                                                              • Instruction ID: 19b02503b6ff80b0ba317704b3fc85031976403c0016fd413fc49969bd03679b
                                                                                              • Opcode Fuzzy Hash: 513487123384b987b46a73d41dd7d3f8dae396f19e83aa108af439660a674e34
                                                                                              • Instruction Fuzzy Hash: 6D014C3691F3159EE6271775BCE66AB274CEB03778F31022AF114551E1EF11AC05D284
                                                                                              Function 002FE13C Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002FE143
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 002FE150
                                                                                                • Part of subcall function 002F8FE9: std::_Lockit::_Lockit.LIBCPMT ref: 002F9005
                                                                                                • Part of subcall function 002F8FE9: std::_Lockit::~_Lockit.LIBCPMT ref: 002F9021
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 002FE16F
                                                                                              • std::_Facet_Register.LIBCPMT ref: 002FE19E
                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 002FE1BE
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 002FE1DC
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prolog3_RegisterThrowstd::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3429215992-0
                                                                                              • Opcode ID: 20cd5e2dcc4950e21561dd2b06d9a710adc4d86fc1bb9fa65a9bde4c745f1999
                                                                                              • Instruction ID: 4d3d11ab419cfae40936f571b3a9a07d6ef4228973a639864cf74e57d5ca01c3
                                                                                              • Opcode Fuzzy Hash: 20cd5e2dcc4950e21561dd2b06d9a710adc4d86fc1bb9fa65a9bde4c745f1999
                                                                                              • Instruction Fuzzy Hash: 9F11067290110D9BCF03EFA4D8969FEF7B5AF54310F250019E605AB2D1DF309E418BA1
                                                                                              Function 002FE1E2 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002FE1E9
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 002FE1F6
                                                                                                • Part of subcall function 002F8FE9: std::_Lockit::_Lockit.LIBCPMT ref: 002F9005
                                                                                                • Part of subcall function 002F8FE9: std::_Lockit::~_Lockit.LIBCPMT ref: 002F9021
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 002FE215
                                                                                              • std::_Facet_Register.LIBCPMT ref: 002FE244
                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 002FE264
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 002FE282
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prolog3_RegisterThrowstd::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3429215992-0
                                                                                              • Opcode ID: 45afb52ba7574c6b346931bc7c6c17c4b1442b771be9e6d40ac8c55438c9ea1d
                                                                                              • Instruction ID: 9a999af6eb87d87b3386ffea181cc9273ae5ae2c245b325b759bc6ca573e32c5
                                                                                              • Opcode Fuzzy Hash: 45afb52ba7574c6b346931bc7c6c17c4b1442b771be9e6d40ac8c55438c9ea1d
                                                                                              • Instruction Fuzzy Hash: 9111E07690110D8BCB06EBA0D997AFEF3B99F54350F250029EA017B2E1DF309E018BA1
                                                                                              Function 002FBAE3 Relevance: 9.1, APIs: 6, Instructions: 55COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002FBAEA
                                                                                              • std::_Lockit::_Lockit.LIBCPMT ref: 002FBAF7
                                                                                                • Part of subcall function 002F8FE9: std::_Lockit::_Lockit.LIBCPMT ref: 002F9005
                                                                                                • Part of subcall function 002F8FE9: std::_Lockit::~_Lockit.LIBCPMT ref: 002F9021
                                                                                              • std::locale::_Getfacet.LIBCPMT ref: 002FBB16
                                                                                              • std::_Facet_Register.LIBCPMT ref: 002FBB45
                                                                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 002FBB65
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 002FBB83
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_GetfacetH_prolog3_RegisterThrowstd::locale::_
                                                                                              • String ID:
                                                                                              • API String ID: 3429215992-0
                                                                                              • Opcode ID: 7f1424588fe0d551e3a8dd344c78965e6ce33a9dc21a34523fcbda1caff1c17e
                                                                                              • Instruction ID: e2119b887a241f2f0fe5c328b6fe72c60e838ba710e89fecde75eab609ea30d1
                                                                                              • Opcode Fuzzy Hash: 7f1424588fe0d551e3a8dd344c78965e6ce33a9dc21a34523fcbda1caff1c17e
                                                                                              • Instruction Fuzzy Hash: 2B11A37591110D8BCB02EFA4D996ABEF7B59F44354F240069E6016B2D1DF349E018BA1
                                                                                              Function 002FFB5D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 80registrylibraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(Advapi32.dll,?,?,?,?,?,0030087E,?,?), ref: 002FFB90
                                                                                              • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 002FFBA0
                                                                                              • RegCreateKeyExW.ADVAPI32(?,0030087E,00000000,00000000,00000000,0002001F,00000000,0030087E,?,?,?,?,?,?,0030087E,?), ref: 002FFBF1
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressCreateHandleModuleProc
                                                                                              • String ID: Advapi32.dll$RegCreateKeyTransactedW
                                                                                              • API String ID: 1964897782-2994018265
                                                                                              • Opcode ID: 3ad9b1dd39d646232a00f46f24d63be8882b19d970979060c7fdc4be9e2697b8
                                                                                              • Instruction ID: 803ab5a51658ea3c79bcccaa932b94e905782a49c74f5e2822e758c146f8fea0
                                                                                              • Opcode Fuzzy Hash: 3ad9b1dd39d646232a00f46f24d63be8882b19d970979060c7fdc4be9e2697b8
                                                                                              • Instruction Fuzzy Hash: 6E2159B1A1020AAFDB15DFA4DD95DBEF7BCEF88B44B10847DE502A2141DB30A911CB60
                                                                                              Function 002F63D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetActiveWindow.USER32 ref: 002F644E
                                                                                              • ShellExecuteW.SHELL32(00000000,00000000,?,00000000,00000000,00000005), ref: 002F6472
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ActiveExecuteShellWindow
                                                                                              • String ID: Da3$da3$pa3
                                                                                              • API String ID: 2922113260-3153344994
                                                                                              • Opcode ID: 8afd1d5280adf4078e2acb3ecb1161b4270678f43adbec53bc464e6c468fe98e
                                                                                              • Instruction ID: becf4e28580e82bfbda3b141387e1c6425bb3c41b8bcac692fd95138bcdd1fe1
                                                                                              • Opcode Fuzzy Hash: 8afd1d5280adf4078e2acb3ecb1161b4270678f43adbec53bc464e6c468fe98e
                                                                                              • Instruction Fuzzy Hash: 73214FB1D1030DAFDB25DFA8D88A9EEBBB8EF08755F20413EA515A7241E7709914CF60
                                                                                              Function 002F22B1 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46registrylibraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(Advapi32.dll,?,80000002,00000000,?,002F2354,00000000,?,?,80000002,00000000,?,?,?,?), ref: 002F22C4
                                                                                              • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 002F22D4
                                                                                              • RegOpenKeyExW.ADVAPI32(00000000,?,00000000,002F1253,?,?,80000002,00000000,?,002F2354,00000000,?,?,80000002,00000000), ref: 002F230E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleOpenProc
                                                                                              • String ID: Advapi32.dll$RegOpenKeyTransactedW
                                                                                              • API String ID: 1337834000-3913318428
                                                                                              • Opcode ID: 90f5830e2f4406793b50dacc8c42e29bea3524cd22d01b77046365a077f0404c
                                                                                              • Instruction ID: f6adbdbf1cf6b8fe05c70e7ee5a47833042d3d275ae15c236a86817ebd520c3f
                                                                                              • Opcode Fuzzy Hash: 90f5830e2f4406793b50dacc8c42e29bea3524cd22d01b77046365a077f0404c
                                                                                              • Instruction Fuzzy Hash: 75016D7251021EFF9F225F90EC468AABB6EEF457D5B004039FA0581020C7729C72ABA0
                                                                                              Function 00300350 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 45libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(Advapi32.dll,00000000,00000000,?,00300A8E,?,?,?,?), ref: 00300378
                                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00300388
                                                                                                • Part of subcall function 003002F1: GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,?,?,00300367,?,?,00000000,?,00300A8E,?,?,?,?), ref: 00300304
                                                                                                • Part of subcall function 003002F1: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00300314
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: Advapi32.dll$RegDeleteKeyExW
                                                                                              • API String ID: 1646373207-2191092095
                                                                                              • Opcode ID: 474b9e65d5f2f4d600dfc57881a2d6e92b14ac279b58e69009cf85e51d7669c6
                                                                                              • Instruction ID: 4608f7d08460ca6071a724e0401895cc18ccce82bee8e3c0751d3361ac15202f
                                                                                              • Opcode Fuzzy Hash: 474b9e65d5f2f4d600dfc57881a2d6e92b14ac279b58e69009cf85e51d7669c6
                                                                                              • Instruction Fuzzy Hash: 0401F73D246200EBDB2B4F10EC16B997F2CBF24B10F0040A9F445A25F0CB71AC60EB90
                                                                                              Function 002F1B05 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryW.KERNEL32(comctl32.dll,?,00000001,?,?,?,002F1893,00000000), ref: 002F1B24
                                                                                              • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 002F1B36
                                                                                              • FreeLibrary.KERNEL32(00000000,?,00000001,?,?,?,002F1893,00000000), ref: 002F1B59
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: Library$AddressFreeLoadProc
                                                                                              • String ID: TaskDialogIndirect$comctl32.dll
                                                                                              • API String ID: 145871493-2809879075
                                                                                              • Opcode ID: 97086db82dbc7a448d825f938da9a1a8ccb92cb6ece6eec02b00ebc894020b2b
                                                                                              • Instruction ID: 3cf9d7bbcfdb9ce6b479d0a0020a707c28ef76e6d1b994163c4cbc37d5ae1693
                                                                                              • Opcode Fuzzy Hash: 97086db82dbc7a448d825f938da9a1a8ccb92cb6ece6eec02b00ebc894020b2b
                                                                                              • Instruction Fuzzy Hash: F5F04F31601215EBE7225B25DC49BAABAA8EF05B55F008139F90193251EBB0ED2196A0
                                                                                              Function 00310D48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00310CF9,0030EC55,?,00310C99,0030EC55,0033A6B0,0000000C,00310DF0,0030EC55,00000002), ref: 00310D68
                                                                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00310D7B
                                                                                              • FreeLibrary.KERNEL32(00000000,?,?,?,00310CF9,0030EC55,?,00310C99,0030EC55,0033A6B0,0000000C,00310DF0,0030EC55,00000002,00000000), ref: 00310D9E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressFreeHandleLibraryModuleProc
                                                                                              • String ID: CorExitProcess$mscoree.dll
                                                                                              • API String ID: 4061214504-1276376045
                                                                                              • Opcode ID: 5e39a3735fcb51db946f01a98ada782118e97cb2d90fcdb8c816799d2aabe4c5
                                                                                              • Instruction ID: aceff77b06821268e4a2a6d61eb1b64c76124691dab4ad2f9571dfccbca2a60a
                                                                                              • Opcode Fuzzy Hash: 5e39a3735fcb51db946f01a98ada782118e97cb2d90fcdb8c816799d2aabe4c5
                                                                                              • Instruction Fuzzy Hash: B6F04430A00218FBCB1B9F94EC0ABDDBFBCEF08715F014069F805A6161DB74A991CB90
                                                                                              Function 00319E33 Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bf3fb12a3fd84e00f3610b5fff05bd743b3e58edeeb3663340155dbbcbb31a9c
                                                                                              • Instruction ID: bca1fb6c6b34e7e6e632bed4b2ee9d95f922cc2de062c1bcf46c4d8b2df139e3
                                                                                              • Opcode Fuzzy Hash: bf3fb12a3fd84e00f3610b5fff05bd743b3e58edeeb3663340155dbbcbb31a9c
                                                                                              • Instruction Fuzzy Hash: FC71B031902616DBCB2BCB54C884AFEBB79EF4D351F16422AE81597181D7718CC6C7A2
                                                                                              Function 0031267A Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 00313EB4: HeapAlloc.KERNEL32(00000000,?,?,?,00314CCA,00001000,?,?,0030BBE0,?,00309909), ref: 00313EE6
                                                                                              • _free.LIBCMT ref: 00312785
                                                                                              • _free.LIBCMT ref: 0031279C
                                                                                              • _free.LIBCMT ref: 003127BB
                                                                                              • _free.LIBCMT ref: 003127D6
                                                                                              • _free.LIBCMT ref: 003127ED
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$AllocHeap
                                                                                              • String ID:
                                                                                              • API String ID: 1835388192-0
                                                                                              • Opcode ID: 21c655a3e078c9734872042bfe4587f6aead2f061e94c7b5f305505da15ae22a
                                                                                              • Instruction ID: d2b992cbc5c06dde8d5cd0e6d02ade0b669847603590d4e115bcded7e1e43b13
                                                                                              • Opcode Fuzzy Hash: 21c655a3e078c9734872042bfe4587f6aead2f061e94c7b5f305505da15ae22a
                                                                                              • Instruction Fuzzy Hash: BA51D332A00304AFDB2ADF69DC41AABB7F5FF5C720B15056DE809DB291E731D9918B90
                                                                                              Function 0031176E Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID:
                                                                                              • API String ID: 269201875-0
                                                                                              • Opcode ID: a078cfc91e49494870b33159761a340cf3b9e9759a5560816b58172fea92824b
                                                                                              • Instruction ID: 8d60a7aa318969ac82b099ec023a1d461e2150b0e111ee9b550424013f623ce6
                                                                                              • Opcode Fuzzy Hash: a078cfc91e49494870b33159761a340cf3b9e9759a5560816b58172fea92824b
                                                                                              • Instruction Fuzzy Hash: 8541DF32A103009FDB1ADF78C890A99B7E5EF89714F1685A9E615EB381D631ED41CB80
                                                                                              Function 00319832 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,?,?,00000000,?,00000001,?,?,00000001,?,00000000), ref: 0031987F
                                                                                              • __alloca_probe_16.LIBCMT ref: 003198B7
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00319908
                                                                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0031991A
                                                                                              • __freea.LIBCMT ref: 00319923
                                                                                                • Part of subcall function 00313EB4: HeapAlloc.KERNEL32(00000000,?,?,?,00314CCA,00001000,?,?,0030BBE0,?,00309909), ref: 00313EE6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                                                              • String ID:
                                                                                              • API String ID: 1857427562-0
                                                                                              • Opcode ID: 42de461e9fb1308c837204532fc2d138e082d2eb8eabfc674df653c8d41924e2
                                                                                              • Instruction ID: 2e871902df6b09b5fd836a9fbf4ab52d3e28f3648d207b14a19515d4d2d5ccdc
                                                                                              • Opcode Fuzzy Hash: 42de461e9fb1308c837204532fc2d138e082d2eb8eabfc674df653c8d41924e2
                                                                                              • Instruction Fuzzy Hash: 3B31D232A0020AABDF2A8F64DC55EEE7BA9EF09710F05416AFC04DA190E735CD91CB90
                                                                                              Function 0031CBD0 Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetEnvironmentStringsW.KERNEL32 ref: 0031CBD9
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0031CBFC
                                                                                                • Part of subcall function 00313EB4: HeapAlloc.KERNEL32(00000000,?,?,?,00314CCA,00001000,?,?,0030BBE0,?,00309909), ref: 00313EE6
                                                                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0031CC22
                                                                                              • _free.LIBCMT ref: 0031CC35
                                                                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0031CC44
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                                                              • String ID:
                                                                                              • API String ID: 2278895681-0
                                                                                              • Opcode ID: 420a4bed913cebb94d9e7784dc97ea0b8c74bc1de73e3d8cddebb4176337fd9c
                                                                                              • Instruction ID: 98124ad01f6cea820c09d60a76dc2c5749e84b40d9a42195eedf9046a57fe2c4
                                                                                              • Opcode Fuzzy Hash: 420a4bed913cebb94d9e7784dc97ea0b8c74bc1de73e3d8cddebb4176337fd9c
                                                                                              • Instruction Fuzzy Hash: 9B01D472655319BF272B56BA6C89CBB6A6DDECAB60315512DBD08C6201DA608C43D1F0
                                                                                              Function 00313DA9 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,?,?,00308D07,0030BBA4,002F1D82,00000000,?,00000000,002F1817,00000000,?,?,002F1817,00000000,A reboot is required following .NET installation - reboot then run installer again.), ref: 00313DAE
                                                                                              • _free.LIBCMT ref: 00313DE3
                                                                                              • _free.LIBCMT ref: 00313E0A
                                                                                              • SetLastError.KERNEL32(00000000,?,00308D07,0030BBA4,002F1D82,00000000,?,00000000,002F1817,00000000,?,?,002F1817,00000000,A reboot is required following .NET installation - reboot then run installer again.), ref: 00313E17
                                                                                              • SetLastError.KERNEL32(00000000,?,00308D07,0030BBA4,002F1D82,00000000,?,00000000,002F1817,00000000,?,?,002F1817,00000000,A reboot is required following .NET installation - reboot then run installer again.), ref: 00313E20
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free
                                                                                              • String ID:
                                                                                              • API String ID: 3170660625-0
                                                                                              • Opcode ID: 751e8b3f1045d398d9eecd63747122c96d6989200eb7ee64a4595ee26b113281
                                                                                              • Instruction ID: 0ec1d3d5e6a025984a5fa3f4e34256b8179ff4e3bb5ea6f848ef4358bef500d7
                                                                                              • Opcode Fuzzy Hash: 751e8b3f1045d398d9eecd63747122c96d6989200eb7ee64a4595ee26b113281
                                                                                              • Instruction Fuzzy Hash: 0E01F437104B00B7D22F23656C86AEB2A5DEFDD371B22022CF415A7293EF609E925170
                                                                                              Function 00313D25 Relevance: 7.6, APIs: 5, Instructions: 50COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetLastError.KERNEL32(?,0030BBE0,00309863,0030BBE0,?,?,00309920,FF8BC35D), ref: 00313D29
                                                                                              • _free.LIBCMT ref: 00313D5C
                                                                                              • _free.LIBCMT ref: 00313D84
                                                                                              • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D91
                                                                                              • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00313D9D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorLast$_free
                                                                                              • String ID:
                                                                                              • API String ID: 3170660625-0
                                                                                              • Opcode ID: 8a471619d51d9e9cc6b2ab8a7571f1e637b0ed5405b8e4876af843b28ce1636a
                                                                                              • Instruction ID: 354c90721fdd9443b77000226bcce45f9e14b747fec9228a44be09f4fd78284f
                                                                                              • Opcode Fuzzy Hash: 8a471619d51d9e9cc6b2ab8a7571f1e637b0ed5405b8e4876af843b28ce1636a
                                                                                              • Instruction Fuzzy Hash: 6CF0CD36540B0066D62F33347C4ABDB253D9FC9761F220618F414EB2D3EE60D9825161
                                                                                              Function 0031D9DC Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 0031D9F4
                                                                                                • Part of subcall function 00313E7A: HeapFree.KERNEL32(00000000,00000000,?,0031DC9A,?,00000000,?,00000000,?,0031DF3E,?,00000007,?,?,0031E339,?), ref: 00313E90
                                                                                                • Part of subcall function 00313E7A: GetLastError.KERNEL32(?,?,0031DC9A,?,00000000,?,00000000,?,0031DF3E,?,00000007,?,?,0031E339,?,?), ref: 00313EA2
                                                                                              • _free.LIBCMT ref: 0031DA06
                                                                                              • _free.LIBCMT ref: 0031DA18
                                                                                              • _free.LIBCMT ref: 0031DA2A
                                                                                              • _free.LIBCMT ref: 0031DA3C
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 678a6bc562bdea8731da152ca269118b39133a8b099953556df8a6b0cc03eca3
                                                                                              • Instruction ID: a483fc3e0a7dd5b8ebeb46e7eb022c47772961e9f4a9f2ebd8b8a234fa0d5cc9
                                                                                              • Opcode Fuzzy Hash: 678a6bc562bdea8731da152ca269118b39133a8b099953556df8a6b0cc03eca3
                                                                                              • Instruction Fuzzy Hash: 6DF01233918310AB962AEBA8E4C1D9777DDBF09710B565805F049EB612CB34FDC047A4
                                                                                              Function 003119F0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • _free.LIBCMT ref: 00311A0E
                                                                                                • Part of subcall function 00313E7A: HeapFree.KERNEL32(00000000,00000000,?,0031DC9A,?,00000000,?,00000000,?,0031DF3E,?,00000007,?,?,0031E339,?), ref: 00313E90
                                                                                                • Part of subcall function 00313E7A: GetLastError.KERNEL32(?,?,0031DC9A,?,00000000,?,00000000,?,0031DF3E,?,00000007,?,?,0031E339,?,?), ref: 00313EA2
                                                                                              • _free.LIBCMT ref: 00311A20
                                                                                              • _free.LIBCMT ref: 00311A33
                                                                                              • _free.LIBCMT ref: 00311A44
                                                                                              • _free.LIBCMT ref: 00311A55
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$ErrorFreeHeapLast
                                                                                              • String ID:
                                                                                              • API String ID: 776569668-0
                                                                                              • Opcode ID: 69dd167f3b9cc3011fb7c7b46e236ae61b9a95822fa6279d0b3479fe9d29cf92
                                                                                              • Instruction ID: 3793eb3ab77c2775efde55fb4d1cd0a0197994a928f27007fa2ce1087b52f7fb
                                                                                              • Opcode Fuzzy Hash: 69dd167f3b9cc3011fb7c7b46e236ae61b9a95822fa6279d0b3479fe9d29cf92
                                                                                              • Instruction Fuzzy Hash: D6F05E72C152209BEB5B6F64FCC26853B68FB1A720F03250AF401AA3F1D73249819FD5
                                                                                              Function 00317150 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003172A9
                                                                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003172BE
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                                                                              • String ID: +q1$+q1
                                                                                              • API String ID: 885266447-1885021359
                                                                                              • Opcode ID: 9509d83559ae3c316ede2e0c51b7c56da06a613753fe6737b3e65ecd43fa2b55
                                                                                              • Instruction ID: 6d6ecf146d72a33e7697e6bf5c49272f7fb6a6bda6fbe652b8ea036674054f39
                                                                                              • Opcode Fuzzy Hash: 9509d83559ae3c316ede2e0c51b7c56da06a613753fe6737b3e65ecd43fa2b55
                                                                                              • Instruction Fuzzy Hash: FC515E71A04108AFCF1ADF98C884AEDBBB6EF99314F1A8559F81897261D731DD92CB40
                                                                                              Function 00310E43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe,00000104), ref: 00310E7E
                                                                                              • _free.LIBCMT ref: 00310F49
                                                                                              • _free.LIBCMT ref: 00310F53
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free$FileModuleName
                                                                                              • String ID: C:\Users\user\AppData\Local\Temp\MSTeamsSetup_c_l_.exe
                                                                                              • API String ID: 2506810119-3324678427
                                                                                              • Opcode ID: 8b0db68eefc2e22cf34363435dab4fc8e60bf21327f79a216358e2955205af55
                                                                                              • Instruction ID: 090fbdcd7ad9ed0e0331a4c21276785b8ac1578e5cb263b1748c33ebcadd6671
                                                                                              • Opcode Fuzzy Hash: 8b0db68eefc2e22cf34363435dab4fc8e60bf21327f79a216358e2955205af55
                                                                                              • Instruction Fuzzy Hash: F0316471A05214AFDB3BDF959C86DDEBBBCEB89310F114066F40497291D6B09EC5CB50
                                                                                              Function 002FC5DB Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3_GS.LIBCMT ref: 002FC5E5
                                                                                                • Part of subcall function 002FC95A: __EH_prolog3.LIBCMT ref: 002FC961
                                                                                                • Part of subcall function 002FB8B0: __EH_prolog3_catch.LIBCMT ref: 002FB8B7
                                                                                                • Part of subcall function 002FCF30: __EH_prolog3_catch.LIBCMT ref: 002FCF37
                                                                                                • Part of subcall function 002FCF30: std::locale::locale.LIBCPMT ref: 002FCF67
                                                                                                • Part of subcall function 002FCF30: std::locale::~locale.LIBCPMT ref: 002FCF82
                                                                                              • std::ios_base::_Ios_base_dtor.LIBCPMT ref: 002FC72B
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_catch$H_prolog3H_prolog3_Ios_base_dtorstd::ios_base::_std::locale::localestd::locale::~locale
                                                                                              • String ID: v2$hi3
                                                                                              • API String ID: 2745547310-909177041
                                                                                              • Opcode ID: 959f0239bdb6ebffdd7205e6df46e7c36f9b92eabeb9a74def21b089343b2706
                                                                                              • Instruction ID: dd416232ff53064ab32acf280a4d88581bb48ea16aa005331a8da9e9a2fd69cd
                                                                                              • Opcode Fuzzy Hash: 959f0239bdb6ebffdd7205e6df46e7c36f9b92eabeb9a74def21b089343b2706
                                                                                              • Instruction Fuzzy Hash: 3E416270A2411C9BDB29EF68C951BADF7B5BF44340F2081AEE50AA7285CB705E94CF14
                                                                                              Function 002FB3DA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 002FB3E1
                                                                                                • Part of subcall function 002FB7A3: __EH_prolog3.LIBCMT ref: 002FB7AA
                                                                                                • Part of subcall function 002FB7A3: std::locale::_Init.LIBCPMT ref: 002FB7CC
                                                                                              • std::locale::locale.LIBCPMT ref: 002FB494
                                                                                                • Part of subcall function 002FBAE3: __EH_prolog3_GS.LIBCMT ref: 002FBAEA
                                                                                                • Part of subcall function 002FBAE3: std::_Lockit::_Lockit.LIBCPMT ref: 002FBAF7
                                                                                                • Part of subcall function 002FBAE3: std::locale::_Getfacet.LIBCPMT ref: 002FBB16
                                                                                                • Part of subcall function 002FBAE3: std::_Lockit::~_Lockit.LIBCPMT ref: 002FBB65
                                                                                              • std::locale::~locale.LIBCPMT ref: 002FB4B6
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3Lockitstd::_std::locale::_$GetfacetH_prolog3_InitLockit::_Lockit::~_std::locale::localestd::locale::~locale
                                                                                              • String ID: Th3
                                                                                              • API String ID: 1052851503-2248204231
                                                                                              • Opcode ID: 312a806f971a9fdbe8bddf11570f6e16b7a051c1fd66623b418dcbf693fb9809
                                                                                              • Instruction ID: 6b3e548293f6e7538c694985d8e3cfde9a274a8c53f559053afe9d99c553b735
                                                                                              • Opcode Fuzzy Hash: 312a806f971a9fdbe8bddf11570f6e16b7a051c1fd66623b418dcbf693fb9809
                                                                                              • Instruction Fuzzy Hash: 0A316BB4A11209AFDB12DF58C991A6DF7F5BF48340F108069E605AB342C775AE11CF91
                                                                                              Function 002F9C99 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: H_prolog3_
                                                                                              • String ID: LOCALAPPDATA$\SquirrelTemp\SquirrelSetup.log$`3
                                                                                              • API String ID: 2427045233-3210781544
                                                                                              • Opcode ID: 11525b7f86ceb4704d313d0c00dad7ee792231dc7f1ecfef18b1deb4a0f7e3c1
                                                                                              • Instruction ID: 25af35635ce8c3e1313540a8f1462a0701fdf67ae38ea5e64ac3717a8567bb36
                                                                                              • Opcode Fuzzy Hash: 11525b7f86ceb4704d313d0c00dad7ee792231dc7f1ecfef18b1deb4a0f7e3c1
                                                                                              • Instruction Fuzzy Hash: 8A214FB091122C9BCB22EF54CC92BEDB778AB59340F4401EAB609A7281DB745BD4CF50
                                                                                              Function 002FEB6E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EnterCriticalSection.KERNEL32(3,00000000,00000000,?,?,?,?,002FEAEC,?), ref: 002FEB83
                                                                                              • DestroyWindow.USER32(00000000,?,?,?,?,002FEAEC,?), ref: 002FEB9E
                                                                                              • LeaveCriticalSection.KERNEL32(3,?,?,?,?,002FEAEC,?), ref: 002FEBD3
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalSection$DestroyEnterLeaveWindow
                                                                                              • String ID: 3
                                                                                              • API String ID: 1456685395-3320462629
                                                                                              • Opcode ID: 2ec4b8292c907bcb0febdc8fa1b393358b606702a546fd4ad04884105a31c7a8
                                                                                              • Instruction ID: 26c71e177dc2d31792831b8c2789d7ce82e7304e5e40694c605afbae8ca1a4a5
                                                                                              • Opcode Fuzzy Hash: 2ec4b8292c907bcb0febdc8fa1b393358b606702a546fd4ad04884105a31c7a8
                                                                                              • Instruction Fuzzy Hash: 12019E31511306EFDB229F48E88682AFBECFF64754B11442EE542572A1C7706C41CB51
                                                                                              Function 003002F1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleHandleW.KERNEL32(Advapi32.dll,?,00000000,?,?,00300367,?,?,00000000,?,00300A8E,?,?,?,?), ref: 00300304
                                                                                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 00300314
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: AddressHandleModuleProc
                                                                                              • String ID: Advapi32.dll$RegDeleteKeyTransactedW
                                                                                              • API String ID: 1646373207-2168864297
                                                                                              • Opcode ID: 1054d7bce1a6217cc0cbeb8e64785820720513d199007c2320e79cf2d35a2e7f
                                                                                              • Instruction ID: 6976584f568c5a17055c978f831925d70d44521fbeef750d4fb775f99768e469
                                                                                              • Opcode Fuzzy Hash: 1054d7bce1a6217cc0cbeb8e64785820720513d199007c2320e79cf2d35a2e7f
                                                                                              • Instruction Fuzzy Hash: 02F02477205208EFD7371FA4AC86A77779DEF857A1B01407EF14881050C731EC018760
                                                                                              Function 002F8ECB Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 002F8F2F
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: Exception@8Throw
                                                                                              • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                                                                              • API String ID: 2005118841-1866435925
                                                                                              • Opcode ID: e965064e8234a29f20654a7e1b94e14c8935a87e5a4e342222c8fb9109a8edb5
                                                                                              • Instruction ID: e3523045c18ef04a347b8d6f46ad0d47078ce7fedf9a5799ef6c1a02d217b234
                                                                                              • Opcode Fuzzy Hash: e965064e8234a29f20654a7e1b94e14c8935a87e5a4e342222c8fb9109a8edb5
                                                                                              • Instruction Fuzzy Hash: 36F022B282020C3EEB11EA54C843BFAF3998B11390F508035FB01AB0C2ED65AD458BA0
                                                                                              Function 00314290 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: __alldvrm$_strrchr
                                                                                              • String ID:
                                                                                              • API String ID: 1036877536-0
                                                                                              • Opcode ID: b79fce6431be69057aa7f42918c2d2135c873c19bbed57f4db6d95c06a05dec3
                                                                                              • Instruction ID: 3f51a0bb5dd36e05738783547c86288c911ab993a26e8fcb3ff406477e16cfde
                                                                                              • Opcode Fuzzy Hash: b79fce6431be69057aa7f42918c2d2135c873c19bbed57f4db6d95c06a05dec3
                                                                                              • Instruction Fuzzy Hash: 2BA168769003869FEB2BCF18C8917EEBBE5EF5A310F19456DE4959B281C6388DC1C750
                                                                                              Function 00323608 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID:
                                                                                              • API String ID: 269201875-0
                                                                                              • Opcode ID: 0471fcfe7991f252e418776f3ace2f1e3687fd4344b51ca0ff756c93c373a67f
                                                                                              • Instruction ID: 68ea0f3e2c29fbef4d7121801b00004762d061aa03ddf3f6595860ccc3a1713d
                                                                                              • Opcode Fuzzy Hash: 0471fcfe7991f252e418776f3ace2f1e3687fd4344b51ca0ff756c93c373a67f
                                                                                              • Instruction Fuzzy Hash: 83414BB2A011207ADB276BBCAC86BAE3B79EF55330F150215F454DB2D1DB384A414AA1
                                                                                              Function 00315B6D Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: de117e6bee91099e43f088cc00ee75dd3eaee695c459e3470f22329f98ab2bbe
                                                                                              • Instruction ID: dafeaba55baef9c4660a7d686e76286d329fc632ec7526adc368305b793e2a33
                                                                                              • Opcode Fuzzy Hash: de117e6bee91099e43f088cc00ee75dd3eaee695c459e3470f22329f98ab2bbe
                                                                                              • Instruction Fuzzy Hash: 77412B72644718EFD72A9F78CC41BAABBE9EB88710F10852AF151DF2C1D67199418B80
                                                                                              Function 0031141E Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d85b47109565ac17bc241014370db6e566dade02d0378be2cac541e85547c2d9
                                                                                              • Instruction ID: cd9d54b53eb3f8b96ce5ba064b4f63eabedecc6b5a7603eaa3b080736c9b61e0
                                                                                              • Opcode Fuzzy Hash: d85b47109565ac17bc241014370db6e566dade02d0378be2cac541e85547c2d9
                                                                                              • Instruction Fuzzy Hash: EE018FB261931ABEF62A16B96CC1FE7622DDF49BB8B324729B621552D0DE608C814170
                                                                                              Function 002F23B6 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 002F241E
                                                                                              • VerSetConditionMask.KERNEL32(00000000), ref: 002F2426
                                                                                              • VerSetConditionMask.KERNEL32(00000000), ref: 002F242E
                                                                                              • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 002F2455
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ConditionMask$InfoVerifyVersion
                                                                                              • String ID:
                                                                                              • API String ID: 2793162063-0
                                                                                              • Opcode ID: e63e16ebfd4dbf22c5825e20a2aa38e8ceb812730558f149a771f8f7b4b297c6
                                                                                              • Instruction ID: 40b865a6a042bb5c618b10e681f1971ddb36eb20a9a9e7f1994a0e94a20377a5
                                                                                              • Opcode Fuzzy Hash: e63e16ebfd4dbf22c5825e20a2aa38e8ceb812730558f149a771f8f7b4b297c6
                                                                                              • Instruction Fuzzy Hash: B4112170D11328ABDB21DF64DC0BBEF7ABCEF09B00F004099B549E6181D7745B518B95
                                                                                              Function 00307829 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 00307843
                                                                                                • Part of subcall function 00307790: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 003077BF
                                                                                                • Part of subcall function 00307790: ___AdjustPointer.LIBCMT ref: 003077DA
                                                                                              • _UnwindNestedFrames.LIBCMT ref: 00307858
                                                                                              • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00307869
                                                                                              • CallCatchBlock.LIBVCRUNTIME ref: 00307891
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                                              • String ID:
                                                                                              • API String ID: 737400349-0
                                                                                              • Opcode ID: 129835af75f3a1856c9a48a297342f507ea6b2febbf417c2ab55121898baf65b
                                                                                              • Instruction ID: cb93f0a321ca7f1b3e38cf87eea05a356b3c2f6ec2daa61d944cf96ade5da118
                                                                                              • Opcode Fuzzy Hash: 129835af75f3a1856c9a48a297342f507ea6b2febbf417c2ab55121898baf65b
                                                                                              • Instruction Fuzzy Hash: A3018832501148BBCF126F95CC46EEB3F69FF88744F058018FE48AA161C732E861EBA0
                                                                                              Function 00315148 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,003150EF,?,00000000,00000000,00000000,?,0031541B,00000006,FlsSetValue), ref: 0031517A
                                                                                              • GetLastError.KERNEL32(?,003150EF,?,00000000,00000000,00000000,?,0031541B,00000006,FlsSetValue,0032C8B0,FlsSetValue,00000000,00000364,?,00313DF7), ref: 00315186
                                                                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,003150EF,?,00000000,00000000,00000000,?,0031541B,00000006,FlsSetValue,0032C8B0,FlsSetValue,00000000), ref: 00315194
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 3177248105-0
                                                                                              • Opcode ID: 7625dac55e59630f6bee42909c5ff4a46fb34e8a9b3ae448e5c8f6c5a6b3819d
                                                                                              • Instruction ID: 89b10a90ccecff66567d77a33e4d3b650eb6c893a722ef12f0ee252dc42e5ab9
                                                                                              • Opcode Fuzzy Hash: 7625dac55e59630f6bee42909c5ff4a46fb34e8a9b3ae448e5c8f6c5a6b3819d
                                                                                              • Instruction Fuzzy Hash: EC01F732205A22FBCF374B689C45BDB3B9DAF897A0B210638F906D3140D720E84186E0
                                                                                              Function 002FE31C Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 002FE323
                                                                                              • std::_Locinfo::_Locinfo.LIBCPMT ref: 002FE35D
                                                                                                • Part of subcall function 002F9066: __EH_prolog3.LIBCMT ref: 002F906D
                                                                                                • Part of subcall function 002F9066: std::_Lockit::_Lockit.LIBCPMT ref: 002F907A
                                                                                                • Part of subcall function 002F9066: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002F90B7
                                                                                              • numpunct.LIBCPMT ref: 002FE37D
                                                                                                • Part of subcall function 002FE3F0: __EH_prolog3_catch.LIBCMT ref: 002FE3F7
                                                                                                • Part of subcall function 002FE3F0: __Getcvt.LIBCPMT ref: 002FE40C
                                                                                                • Part of subcall function 002FE3F0: __Getcvt.LIBCPMT ref: 002FE439
                                                                                              • std::_Locinfo::~_Locinfo.LIBCPMT ref: 002FE387
                                                                                                • Part of subcall function 002F90F9: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 002F9120
                                                                                                • Part of subcall function 002F90F9: std::_Lockit::~_Lockit.LIBCPMT ref: 002F9191
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: std::_$Locinfo::_$GetcvtH_prolog3LocinfoLockit$H_prolog3_catchLocinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_numpunct
                                                                                              • String ID:
                                                                                              • API String ID: 4110376795-0
                                                                                              • Opcode ID: 0c9383631bff7b3a1f43bbbae212eefd73c52b6ea527736a8655a2fe37832d78
                                                                                              • Instruction ID: 56c4b2c9232c1efb854a8897dea2d991b98a72653f3ef6e6d8c889bfac462199
                                                                                              • Opcode Fuzzy Hash: 0c9383631bff7b3a1f43bbbae212eefd73c52b6ea527736a8655a2fe37832d78
                                                                                              • Instruction Fuzzy Hash: 0401ADB29112189BDF26AFA8D856B7EFBE4EF44750F10406EF7149B281CFB04B418B52
                                                                                              Function 00303EF0 Relevance: 6.0, APIs: 4, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • EnterCriticalSection.KERNEL32(0033DCF4,?,?,002F9E31,0033E65C,?,?,?,?,002FC7FA,?,00000000), ref: 00303EFA
                                                                                              • LeaveCriticalSection.KERNEL32(0033DCF4,?,?,002F9E31,0033E65C,?,?,?,?,002FC7FA,?,00000000), ref: 00303F2D
                                                                                              • SetEvent.KERNEL32(00000000,002F9E31,0033E65C,?,?,?,?,002FC7FA,?,00000000), ref: 00303FBB
                                                                                              • ResetEvent.KERNEL32(?,?,?,?,002FC7FA,?,00000000), ref: 00303FC7
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalEventSection$EnterLeaveReset
                                                                                              • String ID:
                                                                                              • API String ID: 3553466030-0
                                                                                              • Opcode ID: c4656dc35e39b84ec80161785dd2d319fb3699d32cd5abc0918a05adc73f68df
                                                                                              • Instruction ID: b7ea2a1f9a61eb96accf7b4d0eef6fd4ceacf333848dc5a3700b63d6a81bc1c1
                                                                                              • Opcode Fuzzy Hash: c4656dc35e39b84ec80161785dd2d319fb3699d32cd5abc0918a05adc73f68df
                                                                                              • Instruction Fuzzy Hash: D3012831A14264DBCB0BAF28FD99AA577ADFF49705F01402DF90297361CB74A821CB94
                                                                                              Function 002F8CCA Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __EH_prolog3.LIBCMT ref: 002F8CD1
                                                                                              • std::_Locinfo::_Locinfo.LIBCPMT ref: 002F8CFF
                                                                                                • Part of subcall function 002F9066: __EH_prolog3.LIBCMT ref: 002F906D
                                                                                                • Part of subcall function 002F9066: std::_Lockit::_Lockit.LIBCPMT ref: 002F907A
                                                                                                • Part of subcall function 002F9066: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002F90B7
                                                                                              • ctype.LIBCPMT ref: 002F8D11
                                                                                                • Part of subcall function 002F8C79: __Getctype.LIBCPMT ref: 002F8C88
                                                                                                • Part of subcall function 002F8C79: __Getcvt.LIBCPMT ref: 002F8C9A
                                                                                              • std::_Locinfo::~_Locinfo.LIBCPMT ref: 002F8D1B
                                                                                                • Part of subcall function 002F90F9: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 002F9120
                                                                                                • Part of subcall function 002F90F9: std::_Lockit::~_Lockit.LIBCPMT ref: 002F9191
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: std::_$Locinfo::_$H_prolog3LocinfoLockit$GetctypeGetcvtLocinfo::~_Locinfo_ctorLocinfo_dtorLockit::_Lockit::~_ctype
                                                                                              • String ID:
                                                                                              • API String ID: 1262428101-0
                                                                                              • Opcode ID: b8c4312d95e0cacb264274855bfd5cc36123d8edea53649019857cfa8ae1d836
                                                                                              • Instruction ID: 12b9fc2f2b82fa2be32e1dfd21aa88264f7447164a96543223d9914d85fbe0d1
                                                                                              • Opcode Fuzzy Hash: b8c4312d95e0cacb264274855bfd5cc36123d8edea53649019857cfa8ae1d836
                                                                                              • Instruction Fuzzy Hash: E1F0BEB191121E9BCB12AF64C41677DF3A4AF00750F60401DF2045B2C1CF745A50CB91
                                                                                              Function 0030F22D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • __startOneArgErrorHandling.LIBCMT ref: 0030F2BD
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ErrorHandling__start
                                                                                              • String ID: pow
                                                                                              • API String ID: 3213639722-2276729525
                                                                                              • Opcode ID: b29f588d13e93f5cfbcc0f3abb65bf8a01dab9ffaa068dfa93cd6812b748a703
                                                                                              • Instruction ID: 55224b20f38c8c2ee67dfd755f0f1ab09947f88f0eeede539d8b354149b7d01e
                                                                                              • Opcode Fuzzy Hash: b29f588d13e93f5cfbcc0f3abb65bf8a01dab9ffaa068dfa93cd6812b748a703
                                                                                              • Instruction Fuzzy Hash: 38517F75A1A1018ACB377714C9623EEAB9CEF44710F318D79F0D6469E9EB308CC19A86
                                                                                              Function 0031EA21 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,0031EC7C,?,00000050,?,?,?,?,?), ref: 0031EAFC
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: ACP$OCP
                                                                                              • API String ID: 0-711371036
                                                                                              • Opcode ID: 889c8be112d3ce0c46f1f3a89cc1ee9b55b4b3a36a1f20742a3c95ab164cd336
                                                                                              • Instruction ID: 5159bb4f759f2b7cc6dc79b8522b6dcab3c6087a6d90154f75cac0146393872a
                                                                                              • Opcode Fuzzy Hash: 889c8be112d3ce0c46f1f3a89cc1ee9b55b4b3a36a1f20742a3c95ab164cd336
                                                                                              • Instruction Fuzzy Hash: 7B216072A48205A6EB2E9F648901BE763AABF9CB51F578464ED0AD7101E733EDC0C350
                                                                                              Function 002F18C4 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce,00020006), ref: 002F1917
                                                                                              Strings
                                                                                              • SquirrelInstall, xrefs: 002F1925
                                                                                              • SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce, xrefs: 002F18E5
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: FileModuleName
                                                                                              • String ID: SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce$SquirrelInstall
                                                                                              • API String ID: 514040917-3364363029
                                                                                              • Opcode ID: 15e529c56e6035fa0dcfeeded6654530efbd8268ada1736bb1ed9d88a064ec08
                                                                                              • Instruction ID: ed6a403f3f34aab890cc97f51b04ceae3b66eaef339dd9f7f6793c85c7b48e8a
                                                                                              • Opcode Fuzzy Hash: 15e529c56e6035fa0dcfeeded6654530efbd8268ada1736bb1ed9d88a064ec08
                                                                                              • Instruction Fuzzy Hash: 020162B0A5021CDAD711DF60DCD5AE9F378AB25740F4001F9E606A6191EA70AF998F90
                                                                                              Function 00311177 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: _free
                                                                                              • String ID: |3
                                                                                              • API String ID: 269201875-1420141427
                                                                                              • Opcode ID: b9e144413ecef93a35049ad6d4c8921c5ddd7dfbe036eeca740436ab3fc17dd6
                                                                                              • Instruction ID: 8bbe1a64925189d7db61b42f2d7055085306b11e732c646e3e49631433fe1852
                                                                                              • Opcode Fuzzy Hash: b9e144413ecef93a35049ad6d4c8921c5ddd7dfbe036eeca740436ab3fc17dd6
                                                                                              • Instruction Fuzzy Hash: 06E0E523A5551170E23F32397C027EB1A895B8E371F160235F724CA1D1DE7448C251A5
                                                                                              Function 003156C8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • IsValidLocale.KERNEL32(00000000,i$1,00000000,00000001,?,?,00312469,?,?,00311E49,?,00000004), ref: 00315714
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: LocaleValid
                                                                                              • String ID: IsValidLocaleName$i$1
                                                                                              • API String ID: 1901932003-55889577
                                                                                              • Opcode ID: c4a0ffb25ba423f3241d5c320665821e0d18bc649307c304a8a543bd7a62ad59
                                                                                              • Instruction ID: 671099c0ca469613c12d90f5abb53680ca566fb1486cebe529a4aec0eb1ea37c
                                                                                              • Opcode Fuzzy Hash: c4a0ffb25ba423f3241d5c320665821e0d18bc649307c304a8a543bd7a62ad59
                                                                                              • Instruction Fuzzy Hash: 8AF0E930751718F7C7177F60DC47EEEBB58DF89B10F401014F9056A191CA71599186D4
                                                                                              Function 003012A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • std::invalid_argument::invalid_argument.LIBCONCRT ref: 003012B0
                                                                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 003012BE
                                                                                                • Part of subcall function 003055AE: RaiseException.KERNEL32(?,?,?,0030475F,?,00000000,00000000,?,?,?,?,?,0030475F,00000001,0033A2CC), ref: 0030560E
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ExceptionException@8RaiseThrowstd::invalid_argument::invalid_argument
                                                                                              • String ID: bad function call
                                                                                              • API String ID: 4038826145-3612616537
                                                                                              • Opcode ID: 12068e2d34aaf79e7cafbd124448c71b6f983e720bf2df8aec4bee13f97da5e1
                                                                                              • Instruction ID: 536435d1adf8f792e14db8a28801bde2999ae9593a3efeb2691e9c1ff91fcf08
                                                                                              • Opcode Fuzzy Hash: 12068e2d34aaf79e7cafbd124448c71b6f983e720bf2df8aec4bee13f97da5e1
                                                                                              • Instruction Fuzzy Hash: 2CC01278C0510C77CB06B6A4D86788DB73DAE04300F808860B910D6081D67096199681
                                                                                              Function 003039E7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                                • Part of subcall function 002F1CED: InitializeCriticalSectionEx.KERNEL32(00000008,00000000,00000000,00000000,002F1CA4,00000014,002F15FA), ref: 002F1CF3
                                                                                                • Part of subcall function 002F1CED: GetLastError.KERNEL32 ref: 002F1CFD
                                                                                              • IsDebuggerPresent.KERNEL32(?,?,?,002F120A), ref: 00303A1A
                                                                                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,002F120A), ref: 00303A29
                                                                                              Strings
                                                                                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00303A24
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionString
                                                                                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                              • API String ID: 3511171328-631824599
                                                                                              • Opcode ID: fec3274120a9665dfb8b9789ec7f2409a30fad96aeceba19ad83971a2bb0cbef
                                                                                              • Instruction ID: d529cf7f29467264e38ef1415b2d0f935f4d563f96690d371e2a5cf407f27234
                                                                                              • Opcode Fuzzy Hash: fec3274120a9665dfb8b9789ec7f2409a30fad96aeceba19ad83971a2bb0cbef
                                                                                              • Instruction Fuzzy Hash: 2DE092702003508FD3729F24E855752BBE8AF04744F40882EE8C6C7291DBB0E555CF52
                                                                                              Function 00319BB7 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000009,00000000,00000000,00000000,00000000,00000032,00000032,00000000,00000000,00000000,00000032,00000000,00000000,00000000,002F9DE7), ref: 00319C4D
                                                                                              • GetLastError.KERNEL32 ref: 00319C5B
                                                                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000), ref: 00319CB6
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000003.00000002.1688237999.00000000002F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 002F0000, based on PE: true
                                                                                              • Associated: 00000003.00000002.1688205387.00000000002F0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688288824.0000000000326000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688325375.000000000033C000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                              • Associated: 00000003.00000002.1688352295.000000000033F000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_3_2_2f0000_MSTeamsSetup_c_l_.jbxd
                                                                                              Similarity
                                                                                              • API ID: ByteCharMultiWide$ErrorLast
                                                                                              • String ID:
                                                                                              • API String ID: 1717984340-0
                                                                                              • Opcode ID: d5844387f17fcc01e78dfc331d775056097bb93064c3c261bd4367e3237cc092
                                                                                              • Instruction ID: f6c93fafd0c410b4a66ffadfa5c130686a258d1f75a629e296d86d09cff4161d
                                                                                              • Opcode Fuzzy Hash: d5844387f17fcc01e78dfc331d775056097bb93064c3c261bd4367e3237cc092
                                                                                              • Instruction Fuzzy Hash: 43410B31604246AFDF2B8F64D854BFA7BE8EF09710F26416AF8995B1A1DB308D81C790

                                                                                              Execution Graph

                                                                                              Execution Coverage:17.7%
                                                                                              Dynamic/Decrypted Code Coverage:100%
                                                                                              Signature Coverage:0%
                                                                                              Total number of Nodes:64
                                                                                              Total number of Limit Nodes:0
                                                                                              execution_graph 51252 7990988 51253 79909c9 FreeLibrary 51252->51253 51254 79909f6 51253->51254 51195 1799970 51196 179999b 51195->51196 51199 1799bd9 51196->51199 51200 1799bfa 51199->51200 51204 1799c09 51200->51204 51209 1799c18 51200->51209 51205 1799c26 51204->51205 51214 1799c68 51205->51214 51219 1799cd2 51205->51219 51210 1799c26 51209->51210 51212 1799c68 GlobalMemoryStatusEx 51210->51212 51213 1799cd2 GlobalMemoryStatusEx 51210->51213 51211 1799a0b 51212->51211 51213->51211 51215 1799ca4 51214->51215 51224 179aef0 51215->51224 51228 179aee0 51215->51228 51216 1799d4d 51220 1799cd7 51219->51220 51222 179aef0 GlobalMemoryStatusEx 51220->51222 51223 179aee0 GlobalMemoryStatusEx 51220->51223 51221 1799d4d 51222->51221 51223->51221 51225 179af02 51224->51225 51232 179b680 51225->51232 51226 179af57 51226->51216 51229 179af02 51228->51229 51231 179b680 GlobalMemoryStatusEx 51229->51231 51230 179af57 51230->51216 51231->51230 51233 179b6c0 51232->51233 51237 179b8e0 51233->51237 51243 179b8d0 51233->51243 51234 179b747 51234->51226 51241 179b8e0 GlobalMemoryStatusEx 51237->51241 51242 179b8d0 GlobalMemoryStatusEx 51237->51242 51238 179b8f2 51240 179b924 51238->51240 51249 179a98c 51238->51249 51240->51234 51241->51238 51242->51238 51244 179b8f2 51243->51244 51247 179b8e0 GlobalMemoryStatusEx 51243->51247 51248 179b8d0 GlobalMemoryStatusEx 51243->51248 51245 179a98c GlobalMemoryStatusEx 51244->51245 51246 179b924 51244->51246 51245->51246 51246->51234 51247->51244 51248->51244 51250 179b800 GlobalMemoryStatusEx 51249->51250 51251 179b86c 51250->51251 51251->51240 51255 179b760 51256 179b788 51255->51256 51257 179a98c GlobalMemoryStatusEx 51256->51257 51258 179b790 51257->51258 51259 7990150 51260 7990176 51259->51260 51261 7990191 51259->51261 51263 7990538 51260->51263 51268 7990558 51263->51268 51272 7990550 51263->51272 51276 799051a 51263->51276 51264 799053f 51264->51261 51269 79905a0 LoadLibraryExW 51268->51269 51271 79905dd 51269->51271 51271->51264 51273 79905a0 LoadLibraryExW 51272->51273 51275 79905dd 51273->51275 51275->51264 51277 7990533 LoadLibraryExW 51276->51277 51279 79905dd 51277->51279 51279->51264

                                                                                              Executed Functions

                                                                                              Function 057AC458 Relevance: 15.9, Strings: 12, Instructions: 868COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 253 57ac458-57ac460 254 57ac4aa-57ac4d1 253->254 255 57ac462-57ac467 253->255 260 57ac4d9-57ac510 254->260 256 57ac469-57ac46d 255->256 257 57ac47c-57ac4a2 255->257 256->257 258 57ac46f-57ac473 256->258 257->254 258->260 261 57ac475-57ac47b 258->261 267 57ac60e-57ac677 260->267 268 57ac516-57ac544 260->268 292 57ac6ca-57ac726 call 57ac110 267->292 293 57ac679-57ac6ae 267->293 274 57ac54a-57ac54d 268->274 275 57ac606-57ac60d 268->275 277 57ac550-57ac559 274->277 278 57ac55b-57ac56c 277->278 279 57ac587-57ac5be 277->279 278->279 283 57ac56e-57ac580 278->283 284 57ac5cf-57ac5de 279->284 283->277 289 57ac582 283->289 290 57ac5c0-57ac5c6 284->290 291 57ac5e0-57ac5f5 284->291 289->275 290->284 291->275 306 57ac728-57ac733 292->306 307 57ac736-57ac79a 292->307 472 57ac6b1 call 57ac458 293->472 473 57ac6b1 call 57ac448 293->473 302 57ac6b7-57ac6c7 314 57ac79c-57ac7a9 307->314 315 57ac7c3-57ac82b 307->315 314->315 316 57ac7ab-57ac7c2 314->316 321 57ac8d2-57ac8d6 315->321 322 57ac831-57ac837 315->322 323 57ac8d8-57ac8e1 321->323 324 57ac8e2-57ac8e9 321->324 325 57ac83d-57ac846 322->325 326 57acb35-57acb3d 322->326 327 57ac8eb-57ac8f3 324->327 328 57ac8f9-57ac900 324->328 329 57ac9bb-57aca0a 325->329 330 57ac84c-57ac863 325->330 341 57acb3e-57acb5c 326->341 327->328 331 57acab5-57acb2e 327->331 332 57ac99b-57ac99f 328->332 333 57ac906-57ac90e 328->333 389 57aca11-57acaae 329->389 343 57ac8bd-57ac8cc 330->343 344 57ac865-57ac884 330->344 331->326 338 57ac9ae-57ac9ba 332->338 339 57ac9a1-57ac9ad 332->339 336 57ac94f-57ac952 333->336 337 57ac910-57ac94d 333->337 345 57ac988-57ac993 336->345 346 57ac954-57ac956 336->346 337->332 348 57acb5e-57acb74 341->348 343->321 343->322 372 57ac89f-57ac8a2 344->372 373 57ac886-57ac88c 344->373 345->332 350 57ac958-57ac95d 346->350 351 57ac965-57ac96f 346->351 355 57acb7a-57acb7d 348->355 356 57acc07-57acc0a 348->356 350->351 351->326 354 57ac975-57ac97c 351->354 354->345 360 57ac97e-57ac986 354->360 361 57acb80-57acb85 355->361 362 57acd09-57acd6f 356->362 363 57acc10-57acc17 356->363 360->332 366 57acb8b-57acb9a 361->366 367 57acd76-57acdb0 361->367 362->367 370 57acb9c-57acba3 366->370 371 57acba7-57acbaa 366->371 386 57acdb6-57acdfe 367->386 387 57acf35-57acfd1 367->387 377 57acbb1-57acbb4 370->377 378 57acba5-57acbdb 370->378 380 57acc1a-57acc8a 371->380 381 57acbac-57acbaf 371->381 372->326 383 57ac8a8-57ac8b5 372->383 373->326 382 57ac892-57ac899 373->382 390 57acbba-57acbd6 377->390 391 57acc91-57acd02 377->391 388 57acbfd-57acc01 378->388 394 57acbdd-57acbf4 378->394 380->391 381->388 382->372 382->389 383->343 426 57ace00-57ace05 386->426 427 57ace07-57ace15 386->427 388->356 388->361 389->331 390->388 391->362 394->388 430 57ace18-57ace58 426->430 427->430 452 57ace5e-57ace81 430->452 453 57acee5-57acefe 430->453 461 57ace8a-57ace8e 452->461 462 57ace83-57ace88 452->462 456 57acf09 453->456 457 57acf00 453->457 456->387 457->456 464 57ace90-57ace9f 461->464 465 57acea1-57aceb0 461->465 463 57aced5-57acedf 462->463 463->452 463->453 464->463 465->463 469 57aceb2-57acebc 465->469 470 57acec2-57acec4 469->470 470->463 471 57acec6-57acecc 470->471 471->463 472->302 473->302
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq$(bq$(bq$(bq$(bq$=$Hbq$Hbq$Hbq$Hbq$Hbq$Hbq
                                                                                              • API String ID: 0-4038901194
                                                                                              • Opcode ID: 24d89bddc51945d9bd1684276a18326b2fc99ab73c3ef893bba58b684307b84c
                                                                                              • Instruction ID: 836fe22a4c5c50f21d2a1b275c633fe2bd45ae193fa2da2c889c12618a309c36
                                                                                              • Opcode Fuzzy Hash: 24d89bddc51945d9bd1684276a18326b2fc99ab73c3ef893bba58b684307b84c
                                                                                              • Instruction Fuzzy Hash: B462D431A002159FCB15DF69C844AAEBBF6FFC8310F14866AE506AB391DB35DC46CB91
                                                                                              Function 0613CF31 Relevance: 1.8, Strings: 1, Instructions: 565COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: fcq
                                                                                              • API String ID: 0-2768158334
                                                                                              • Opcode ID: 45fced9e58aec81628242b7bb0201e139f0486edeaf6d1a750d71e3871d5e92a
                                                                                              • Instruction ID: d8e132017beb3c6f166063675c2a92c5399a36848b22a22061a0534cda2b037b
                                                                                              • Opcode Fuzzy Hash: 45fced9e58aec81628242b7bb0201e139f0486edeaf6d1a750d71e3871d5e92a
                                                                                              • Instruction Fuzzy Hash: C0325A34A01215CFDB14DF28D954A99B7B2FF89300F1582E9E50AAB3A1DB74ED85CF90
                                                                                              Function 06130040 Relevance: 1.4, Instructions: 1367COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 24d9767129f03f3d17b33f8139c690f7f281345768445d13041095c7fefd01cd
                                                                                              • Instruction ID: ca8faab5ebb3d2f2533c09e21b88fdb8a5c4d6cd76dcda6b69f29bc36ed3b7ce
                                                                                              • Opcode Fuzzy Hash: 24d9767129f03f3d17b33f8139c690f7f281345768445d13041095c7fefd01cd
                                                                                              • Instruction Fuzzy Hash: 4FE2E774A05229CFCB64DF28C898A9EBBB2FF89300F1481D9D40AAB355DB359D85DF50
                                                                                              Function 01625250 Relevance: .6, Instructions: 613COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 005370c1e393ee9ba03cdb0f984032b2cbe4fc866fc792a57d898d6e0d87d9a7
                                                                                              • Instruction ID: 8225971505d6f1ee608093c979c8d2947385c66775bdf85f4f3680bb34e95055
                                                                                              • Opcode Fuzzy Hash: 005370c1e393ee9ba03cdb0f984032b2cbe4fc866fc792a57d898d6e0d87d9a7
                                                                                              • Instruction Fuzzy Hash: E5426F74A006149FDB24DF79D8987ADBBF2FF88300F148569D506AB390DB789885CF92
                                                                                              Function 0162DBA9 Relevance: .4, Instructions: 440COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 41ab90109b1b29ba27dfa1be0d00ef88815e465ddf6bf57bac2c66536943db9f
                                                                                              • Instruction ID: ed7e5d32bff2fc679a8aed4c48be35abe58c7989d4363482400e95c0d59714db
                                                                                              • Opcode Fuzzy Hash: 41ab90109b1b29ba27dfa1be0d00ef88815e465ddf6bf57bac2c66536943db9f
                                                                                              • Instruction Fuzzy Hash: 90027E74A04A268FC701CF58C9808AAFBF9FF8931075986A6D449DF267D734E946CF90
                                                                                              Function 057A43AF Relevance: .3, Instructions: 322COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4061ae46ba6d656b96c90a9818a19d2e911befce893189ae3573e8e526961238
                                                                                              • Instruction ID: 4a77d5f1d268f3d1d42c4459bf4a916a3e2432d51f8a4ef8b4c9273e84340f87
                                                                                              • Opcode Fuzzy Hash: 4061ae46ba6d656b96c90a9818a19d2e911befce893189ae3573e8e526961238
                                                                                              • Instruction Fuzzy Hash: 66D13C36B106148FCB04CF68D498E59BBB2FF89310F158295E915AF3A6CB72EC46DB50
                                                                                              Function 06137B90 Relevance: .3, Instructions: 266COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 10cb57a7ede143d833865fb051fce4bbe147d5fcf2cb590f51921d91f6939d91
                                                                                              • Instruction ID: bf5ef3a0e34365506fd6dd118a20f2a12ad2e0446c722b5c3c0b2e38589cb0f9
                                                                                              • Opcode Fuzzy Hash: 10cb57a7ede143d833865fb051fce4bbe147d5fcf2cb590f51921d91f6939d91
                                                                                              • Instruction Fuzzy Hash: B8B17EB0E0021ACFDF54CFA9D8857EDBBF2AF88314F148529D41AE7294EB749845CB85
                                                                                              Function 06136F78 Relevance: .2, Instructions: 238COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 362984db39fb44900d6ea3491755855150c078136d90e3e62bdb1739984fee26
                                                                                              • Instruction ID: ef0d9bb34fa6a4bb5dec40be94adac1135c6c013617e1274a00c8323abbd9def
                                                                                              • Opcode Fuzzy Hash: 362984db39fb44900d6ea3491755855150c078136d90e3e62bdb1739984fee26
                                                                                              • Instruction Fuzzy Hash: 3991BEB1E00219CFDF54CFA8D99179DBBF2BF88304F148529E40AE7290EB749846CB85
                                                                                              Function 057AA9E8 Relevance: 32.4, Strings: 25, Instructions: 1142COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 0 57aa9e8-57aaa88 248 57aaa8d call 1792fd0 0->248 249 57aaa8d call 1792fc2 0->249 9 57aaa92-57aaaf1 13 57aab29-57aab3b 9->13 14 57aaaf3-57aab26 9->14 17 57aab5a-57aac75 call 57abf7a 13->17 18 57aab3d-57aab55 13->18 14->13 250 57aac77 call 57ac458 17->250 251 57aac77 call 57ac448 17->251 19 57abda1-57abda5 18->19 22 57abdb0 19->22 23 57abda7 19->23 26 57abdb1 22->26 23->22 26->26 37 57aac7d-57aaf83 82 57aafd7-57ab742 37->82 83 57aaf85-57aafd4 37->83 242 57ab744 call 57ac458 82->242 243 57ab744 call 57ac448 82->243 244 57ab744 call 57acb4f 82->244 245 57ab744 call 57ac7d2 82->245 246 57ab744 call 57ac777 82->246 83->82 200 57ab74a-57ab755 201 57ab763-57ab775 200->201 202 57ab757-57ab760 200->202 204 57ab7a2-57ab808 201->204 205 57ab777-57ab79d 201->205 202->201 214 57ab80a 204->214 215 57ab811-57ab824 204->215 205->19 214->215 216 57aba3b-57aba73 214->216 217 57ab829-57ab860 214->217 218 57ab9b0-57ab9f2 214->218 219 57ab9f7-57aba36 214->219 215->19 216->19 231 57ab8ec-57ab979 call 57ae1a0 217->231 232 57ab866-57ab86a 217->232 218->19 219->19 239 57ab97f-57ab9ab 231->239 232->231 233 57ab870-57ab8e4 232->233 233->231 239->19 242->200 243->200 244->200 245->200 246->200 248->9 249->9 250->37 251->37
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: bq$#`7m^$+a7m^$+b7m^$3`7m^$;a7m^$;b7m^$C`7m^$Ka7m^$Kb7m^$S_7m^$S`7m^$[a7m^$[b7m^$c_7m^$k`7m^$ka7m^$kb7m^$s_7m^${`7m^${a7m^${b7m^$_7m^$`7m^$a7m^
                                                                                              • API String ID: 0-2322488158
                                                                                              • Opcode ID: 148729389f73c765c63070429955cdf939a140eced1fc71ad46fbff0d65fcab8
                                                                                              • Instruction ID: a29a66b2d7050becde9fb9ba95d5879314ea7c76dadd3a35d179ae192b8a1ec0
                                                                                              • Opcode Fuzzy Hash: 148729389f73c765c63070429955cdf939a140eced1fc71ad46fbff0d65fcab8
                                                                                              • Instruction Fuzzy Hash: 6F927D74B016059FCB04EB69D854B2EBAF7FBD9300F14852DE50ADB384CA39AC06DB95
                                                                                              Function 01628948 Relevance: 10.7, Strings: 8, Instructions: 746COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq$(bq$(bq$(bq$(bq$(bq$Hbq$Hbq
                                                                                              • API String ID: 0-568158049
                                                                                              • Opcode ID: e5c39bf195b13d556d7bc1b586628376cbf08cb5116bea3fd0055e9468fc3ab0
                                                                                              • Instruction ID: 79af3b6556052ecd797dd771e1113e8a06592de293459e310e9a302cc5e8e046
                                                                                              • Opcode Fuzzy Hash: e5c39bf195b13d556d7bc1b586628376cbf08cb5116bea3fd0055e9468fc3ab0
                                                                                              • Instruction Fuzzy Hash: 1142EF30B04A258FCB259B38CC1466EBBE2EFD5301F14896ED6469B785CB35DD06CB92
                                                                                              Function 01625DB0 Relevance: 6.5, Strings: 5, Instructions: 267COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 718 1625db0-1625dc6 720 1625e1a-1625e3f 718->720 721 1625dc8-1625dca 718->721 722 1625e46-1625e6b 720->722 721->722 723 1625dcc-1625dce 721->723 725 1625e72-1625e96 722->725 723->725 726 1625dd4-1625dd7 723->726 732 1625e9d-1625ec1 725->732 726->725 728 1625ddd-1625ddf 726->728 731 1625de5-1625deb 728->731 728->732 731->732 734 1625df1-1625df3 731->734 745 1625ec8-1625f26 732->745 738 1625df5-1625dfa 734->738 739 1625dfd-1625e06 734->739 742 1625e0c-1625e0e 739->742 744 1625e14-1625e18 742->744 742->745 744->734 750 1625f28-1625f2f 745->750 751 1625f8c-1625fb1 745->751 752 1625f35-1625f37 750->752 753 1625fb8-1625fee 750->753 751->753 754 1625f42-1625f89 752->754 755 1625f39-1625f3c 752->755 757 1625ff5-1626094 753->757 755->754 755->757 778 16260b1-16260b7 757->778 779 1626096-16260af 757->779 780 16260db-1626118 778->780 781 16260b9-16260d8 778->781 779->780 781->780
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq$(bq$(bq$;$Hbq
                                                                                              • API String ID: 0-3027255109
                                                                                              • Opcode ID: 9e04f3a65527ad7298eccbb582d9e8a0f28896e7ab7cdb433bb7ac048498dde5
                                                                                              • Instruction ID: 7f0ccc5cb771a66adc1d78dd1242f398eae94b27234fe074a19975d8da60568d
                                                                                              • Opcode Fuzzy Hash: 9e04f3a65527ad7298eccbb582d9e8a0f28896e7ab7cdb433bb7ac048498dde5
                                                                                              • Instruction Fuzzy Hash: 26910431A046654FC7159F78C8506AEBFA2BFD4350F10816EDA4A9B381DF389D06CBE6
                                                                                              Function 057AC110 Relevance: 6.5, Strings: 5, Instructions: 238COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 782 57ac110-57ac12d 783 57ac27c-57ac2a1 782->783 784 57ac133-57ac137 782->784 785 57ac2a8-57ac2de 783->785 784->785 786 57ac13d-57ac141 784->786 789 57ac2e5-57ac309 785->789 788 57ac147-57ac170 786->788 786->789 798 57ac172-57ac187 788->798 799 57ac1a3-57ac1df 788->799 807 57ac310-57ac346 789->807 805 57ac18d-57ac1a1 798->805 806 57ac407-57ac43f 798->806 812 57ac1e2-57ac1fa 799->812 805->812 827 57ac34d-57ac3c3 807->827 819 57ac1fc-57ac203 812->819 820 57ac206 812->820 824 57ac20e-57ac21b 820->824 825 57ac21d-57ac221 824->825 826 57ac227-57ac22b 824->826 825->807 825->826 828 57ac22d-57ac231 826->828 829 57ac237-57ac24c 826->829 837 57ac3ca-57ac400 827->837 828->827 828->829 832 57ac24e-57ac257 829->832 833 57ac272-57ac279 829->833 835 57ac259-57ac25d 832->835 836 57ac263-57ac266 832->836 835->836 835->837 836->833 838 57ac268-57ac26c 836->838 837->806 838->833 838->837
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq$Hbq$Hbq$Hbq$Hbq
                                                                                              • API String ID: 0-3192604525
                                                                                              • Opcode ID: 8dc07a7ed273874e4f294dd60b2af072f0a7b0e56a3c0eab3b4089e461e33821
                                                                                              • Instruction ID: 6ca374380cf9d33d2765d0a6466e8f985544904508b4710b24bbd2980049238f
                                                                                              • Opcode Fuzzy Hash: 8dc07a7ed273874e4f294dd60b2af072f0a7b0e56a3c0eab3b4089e461e33821
                                                                                              • Instruction Fuzzy Hash: 4881D235B042159FCB559B688410B6EBAE7FFD5350F108A2EE60ADB380DE38DD06C795
                                                                                              Function 057AFCA0 Relevance: 5.2, Strings: 4, Instructions: 195COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 902 57afca0-57afcce 903 57afcda-57afcfb 902->903 904 57afcd0 902->904 908 57afeea-57aff0f 903->908 909 57afd01-57afd05 903->909 904->903 912 57aff16-57aff6b 908->912 910 57afd11-57afd57 909->910 911 57afd07-57afd0b 909->911 926 57afd98-57afdae 910->926 927 57afd59-57afd91 910->927 911->910 911->912 928 57aff7f-57aff82 912->928 929 57aff6d-57aff78 912->929 932 57afdb8-57afdd1 926->932 933 57afdb0 926->933 927->926 929->928 937 57afe2f-57afe62 932->937 938 57afdd3-57afe01 932->938 933->932 946 57afedd-57afee7 937->946 944 57afe06-57afe12 938->944 944->946 948 57afe18-57afe2a 944->948 948->946
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq$(bq$xbq$xbq
                                                                                              • API String ID: 0-2582918839
                                                                                              • Opcode ID: 2968f354d39d40aadbf2795d6f76a04d461a91af289a446f09732651ea6c8133
                                                                                              • Instruction ID: ff249feed3389c053620e189ef0b08c2642c990c5eceab3c0692091411242190
                                                                                              • Opcode Fuzzy Hash: 2968f354d39d40aadbf2795d6f76a04d461a91af289a446f09732651ea6c8133
                                                                                              • Instruction Fuzzy Hash: 0B619C357002059FDB159F68C850BAE7BA2FFC9351F14856DE90A9B395CB32EC42CB90
                                                                                              Function 01621D50 Relevance: 4.7, Strings: 3, Instructions: 902COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 950 1621d50-1621d8c 951 1621d95-1621e48 950->951 952 1621d8e 950->952 959 1621e56-1621e69 951->959 960 1621e4a 951->960 952->951 961 1621eb0-1621ecb 959->961 962 1621e6b-1621e74 959->962 960->959 965 1621f12-1621f24 961->965 966 1621ecd-1621ed6 961->966 962->961 963 1621e76-1621e8a 962->963 969 1621e93-1621eae 963->969 970 1621e8c 963->970 972 1621f26-1621f34 965->972 973 1621f58-1621f88 call 1622e58 965->973 966->965 968 1621ed8-1621eec 966->968 978 1621ef5-1621f10 968->978 979 1621eee 968->979 969->961 970->969 976 1621f42-1621f53 972->976 977 1621f36 972->977 980 1621f8e-1621fba 973->980 976->973 977->976 978->965 979->978 984 162202c-1622096 980->984 985 1621fbc-1621ff6 980->985 995 162209c-16220a9 984->995 996 162229d-1622302 984->996 991 1622d59-1622d60 985->991 997 162222b-1622298 995->997 998 16220af-16220b9 995->998 1016 1622376-1622432 996->1016 1017 1622304-1622340 996->1017 1020 1622d38-1622d51 997->1020 998->997 1000 16220bf-16221b6 998->1000 1040 1622223 1000->1040 1041 16221b8-16221f4 1000->1041 1046 16224a6-16225c7 1016->1046 1047 1622434-1622470 1016->1047 1017->991 1020->991 1040->997 1041->991 1067 162264a-1622706 1046->1067 1068 16225cd-1622614 1046->1068 1047->991 1081 1622841-162287f 1067->1081 1082 162270c-16227ab 1067->1082 1068->991 1087 1622881 1081->1087 1088 162288d-16228da 1081->1088 1119 16227e0-1622837 1082->1119 1120 16227ad-16227dd 1082->1120 1087->1088 1095 16228f0-16228f4 1088->1095 1096 16228dc-16228ea 1088->1096 1098 16228f6-1622922 1095->1098 1099 162296c-1622996 1095->1099 1096->1095 1103 1622a1d-1622a46 1096->1103 1100 162299d-16229bc 1098->1100 1114 1622924-1622967 1098->1114 1099->1100 1111 1622a52-1622a56 1100->1111 1103->1111 1116 1622a58-1622a84 1111->1116 1117 1622ace-1622af8 1111->1117 1114->991 1118 1622aff-1622b6d 1116->1118 1136 1622a86-1622ac9 1116->1136 1117->1118 1133 1622b73-1622b89 1118->1133 1134 1622c3f-1622c62 1118->1134 1119->1081 1120->1119 1142 1622b8b-1622b8d 1133->1142 1143 1622b8f-1622bad 1133->1143 1138 1622c69-1622cfc 1134->1138 1136->991 1138->1020 1145 1622baf-1622bfc 1142->1145 1143->1145 1145->1138 1157 1622bfe-1622c3a 1145->1157 1157->991
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $.bq$[Oq^${Oq^
                                                                                              • API String ID: 0-3693273601
                                                                                              • Opcode ID: 7c6c1a40226cdca606d3e0145108b46a9a15bf3b3d67e0f516fbefc323f2b364
                                                                                              • Instruction ID: ad7eada2375f83df826edfa8a3e5b3aa4b7018474dac5b1fc1995d11fde86867
                                                                                              • Opcode Fuzzy Hash: 7c6c1a40226cdca606d3e0145108b46a9a15bf3b3d67e0f516fbefc323f2b364
                                                                                              • Instruction Fuzzy Hash: 5592F474B012199FCB18DF28D894BA9B7B2FF89310F504598E8499B3A5CB35ED81CF91
                                                                                              Function 057AF021 Relevance: 4.3, Strings: 3, Instructions: 519COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1161 57af021-57af02c 1162 57af02e 1161->1162 1163 57af0a1-57af0b4 1161->1163 1164 57aefbb-57aefc3 1162->1164 1165 57af030-57af093 1162->1165 1167 57af0c0-57af0fc 1163->1167 1168 57af0b6 1163->1168 1169 57aefcb-57aefcd 1164->1169 1191 57af099-57af09f 1165->1191 1192 57af195-57af1da 1165->1192 1179 57af108-57af126 1167->1179 1180 57af0fe 1167->1180 1168->1167 1171 57aefcf-57aefdb 1169->1171 1172 57aef8d-57aef9d 1169->1172 1181 57aefde-57aeff8 1172->1181 1182 57aef9f-57aefba 1172->1182 1189 57af128-57af13a 1179->1189 1190 57af17f-57af192 1179->1190 1180->1179 1181->1172 1187 57aeffa-57af007 1181->1187 1182->1164 1193 57af13c 1189->1193 1194 57af146-57af159 1189->1194 1191->1163 1202 57af1dc-57af1de 1192->1202 1203 57af200-57af24a 1192->1203 1193->1194 1197 57af15b-57af175 1194->1197 1198 57af178-57af17d 1194->1198 1198->1189 1198->1190 1202->1203 1204 57af24c 1203->1204 1205 57af256-57af29b 1203->1205 1204->1205 1207 57af2c8-57af2d1 1205->1207 1208 57af29d-57af2a9 1205->1208 1211 57af2eb-57af2ff 1207->1211 1212 57af2d3-57af2e6 1207->1212 1209 57af2af-57af2b7 1208->1209 1210 57af55d 1208->1210 1213 57af2b9 1209->1213 1214 57af2be-57af2c1 1209->1214 1215 57af562-57af568 1210->1215 1211->1210 1216 57af305-57af30b 1211->1216 1212->1215 1213->1214 1214->1207 1219 57af56a-57af576 1215->1219 1220 57af581 1215->1220 1217 57af311-57af323 1216->1217 1218 57af446-57af44a 1216->1218 1221 57af32f-57af342 1217->1221 1222 57af325 1217->1222 1223 57af44c-57af456 1218->1223 1224 57af466-57af47b 1218->1224 1225 57af578 1219->1225 1226 57af584-57af58d 1219->1226 1220->1226 1237 57af348-57af34e 1221->1237 1238 57af435-57af440 1221->1238 1222->1221 1223->1224 1236 57af458-57af45f 1223->1236 1227 57af47d 1224->1227 1228 57af487-57af4a0 1224->1228 1225->1220 1230 57af593-57af597 1226->1230 1231 57af614-57af62e 1226->1231 1227->1228 1228->1210 1242 57af4a6-57af4b9 1228->1242 1234 57af5fb-57af60b 1230->1234 1235 57af599-57af5b2 1230->1235 1234->1231 1249 57af5be-57af5db 1235->1249 1250 57af5b4 1235->1250 1236->1224 1240 57af40a-57af415 1237->1240 1241 57af354-57af363 1237->1241 1238->1217 1238->1218 1248 57af418-57af430 1240->1248 1244 57af36f-57af37a 1241->1244 1245 57af365 1241->1245 1246 57af4bb 1242->1246 1247 57af4c5-57af513 1242->1247 1254 57af38a-57af39f 1244->1254 1255 57af37c-57af388 1244->1255 1245->1244 1246->1247 1247->1210 1265 57af515-57af51e 1247->1265 1248->1215 1249->1231 1250->1249 1258 57af3ab-57af3da 1254->1258 1259 57af3a1 1254->1259 1257 57af3fa-57af408 1255->1257 1257->1248 1269 57af3ef-57af3f2 1258->1269 1270 57af3dc-57af3ed 1258->1270 1259->1258 1267 57af558 1265->1267 1268 57af520-57af52e 1265->1268 1267->1210 1268->1210 1271 57af530-57af53a 1268->1271 1269->1257 1270->1257 1272 57af53c 1271->1272 1273 57af543-57af556 1271->1273 1272->1273 1273->1215
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq$(bq$d
                                                                                              • API String ID: 0-3459434788
                                                                                              • Opcode ID: ab1567f6c65f0961a6c8060709dfb68a735236be5391757b4ef07d7972ab9d13
                                                                                              • Instruction ID: 202270398488903c52ef1023a00ffada87eec697fe064688d67133174913a373
                                                                                              • Opcode Fuzzy Hash: ab1567f6c65f0961a6c8060709dfb68a735236be5391757b4ef07d7972ab9d13
                                                                                              • Instruction Fuzzy Hash: B2223879A00215CFCB14CF69C5909AEBBF2FF89310B258699E915AB361D731EC42DF90
                                                                                              Function 06133E20 Relevance: 3.9, Strings: 3, Instructions: 149COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1275 6133e20-6133e32 1277 6133e55-6133e60 1275->1277 1278 6133e34-6133e3a 1275->1278 1279 6133e63-6133e78 1278->1279 1280 6133e3c-6133e52 1278->1280 1282 6133ee4-6133f02 1279->1282 1283 6133e7a-6133e92 1279->1283 1293 6133f08-6133f0e 1282->1293 1294 6133f8f-6133fa3 1282->1294 1284 6133e94-6133eb5 1283->1284 1285 6133ebc-6133ec0 1283->1285 1284->1285 1286 6133ec6-6133ed5 1285->1286 1287 6133f84-6133f8e 1285->1287 1289 6133ee1-6133ee3 1286->1289 1290 6133ed7 1286->1290 1289->1282 1290->1289 1293->1287 1296 6133f10 1293->1296 1298 6133f13-6133f16 1296->1298 1298->1294 1300 6133f18-6133f27 1298->1300 1301 6133f29-6133f44 1300->1301 1302 6133f6e-6133f74 1300->1302 1303 6133f50-6133f62 1301->1303 1304 6133f46 1301->1304 1302->1294 1305 6133f76-6133f82 1302->1305 1303->1302 1307 6133f64-6133f6d 1303->1307 1304->1303 1305->1287 1305->1298
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq$(bq$(bq
                                                                                              • API String ID: 0-2716923250
                                                                                              • Opcode ID: 5440e8740a498015090961d7611c950c2b4f9ef3bb4d97705a51508b952f4322
                                                                                              • Instruction ID: 58a80c35dd81fb208343f360b5fab64a2628d6c3cbfe885209668b717c039692
                                                                                              • Opcode Fuzzy Hash: 5440e8740a498015090961d7611c950c2b4f9ef3bb4d97705a51508b952f4322
                                                                                              • Instruction Fuzzy Hash: F351A031A002658FDB04CF69C480A6AFBB5FF89320B158666E92ADB391D730EC51CBD4
                                                                                              Function 057A5EA8 Relevance: 3.9, Strings: 3, Instructions: 124COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1308 57a5ea8-57a5ed5 1310 57a5edb-57a5edd 1308->1310 1311 57a5ed7 1308->1311 1312 57a5ee4-57a5f3f 1310->1312 1313 57a5ed9 1311->1313 1314 57a5edf 1311->1314 1319 57a5f41 1312->1319 1320 57a5f47-57a5f49 1312->1320 1313->1310 1314->1312 1321 57a5f4b 1319->1321 1322 57a5f43-57a5f45 1319->1322 1323 57a5f50-57a5fe7 1320->1323 1321->1323 1322->1320 1322->1321 1330 57a5ff0-57a603a 1323->1330
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (_^q$(_^q$(_^q
                                                                                              • API String ID: 0-2659877201
                                                                                              • Opcode ID: 133c39031e154594e0598b0df8e1b04ba7f32b2a280f54cfbb836c2764105049
                                                                                              • Instruction ID: de5fc69e61c563e76de7a18f5669b703fb4932e6c5ba6067d9495fa0e20642c6
                                                                                              • Opcode Fuzzy Hash: 133c39031e154594e0598b0df8e1b04ba7f32b2a280f54cfbb836c2764105049
                                                                                              • Instruction Fuzzy Hash: CA418175E0020A9FCF04DF68C8449DEB7F2FF88300B648659E919AB351DB34AE46CB90
                                                                                              Function 057A5EB8 Relevance: 3.9, Strings: 3, Instructions: 123COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1335 57a5eb8-57a5ed5 1337 57a5edb-57a5edd 1335->1337 1338 57a5ed7 1335->1338 1339 57a5ee4-57a5f3f 1337->1339 1340 57a5ed9 1338->1340 1341 57a5edf 1338->1341 1346 57a5f41 1339->1346 1347 57a5f47-57a5f49 1339->1347 1340->1337 1341->1339 1348 57a5f4b 1346->1348 1349 57a5f43-57a5f45 1346->1349 1350 57a5f50-57a5fe7 1347->1350 1348->1350 1349->1347 1349->1348 1357 57a5ff0-57a603a 1350->1357
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (_^q$(_^q$(_^q
                                                                                              • API String ID: 0-2659877201
                                                                                              • Opcode ID: 923567d4ba533cfc2a74f8462214c8188424da75342448c256c18c19ce81a83e
                                                                                              • Instruction ID: d4ae573c08f7012d0e461552e628229ab963839324380a927d3860312ffe4e8c
                                                                                              • Opcode Fuzzy Hash: 923567d4ba533cfc2a74f8462214c8188424da75342448c256c18c19ce81a83e
                                                                                              • Instruction Fuzzy Hash: 5D418375E0020A9FCF04DF68C844ADEB7F2FF99300B648559E919AB341DB35AD46CB94
                                                                                              Function 0162B6D8 Relevance: 2.9, Strings: 2, Instructions: 354COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1706 162b6d8-162b70e 1707 162b714-162b750 1706->1707 1708 162b8fb-162b920 1706->1708 1709 162b756-162b759 1707->1709 1710 162b7d5-162b7dc 1707->1710 1718 162b927-162ba3b 1708->1718 1716 162b761-162b765 1709->1716 1712 162b862-162b8d8 call 162b288 call 162c0c1 1710->1712 1713 162b7e2-162b7e6 1710->1713 1751 162b8de-162b8e0 1712->1751 1714 162b7e8-162b802 1713->1714 1715 162b84d-162b856 1713->1715 1731 162b826-162b83f 1714->1731 1732 162b804-162b80f 1714->1732 1716->1718 1719 162b76b-162b798 1716->1719 1755 162ba41-162ba43 1718->1755 1756 162ba3d-162ba3f 1718->1756 1722 162b79a-162b7c1 1719->1722 1723 162b7c9-162b7d2 1719->1723 1722->1723 1723->1710 1738 162b841 1731->1738 1739 162b84a 1731->1739 1741 162b811 1732->1741 1742 162b819-162b824 1732->1742 1738->1739 1739->1715 1741->1742 1742->1731 1742->1732 1752 162b8e2-162b8eb 1751->1752 1753 162b8ee-162b8f8 1751->1753 1758 162ba4a-162ba4c 1755->1758 1756->1755 1757 162ba45 1756->1757 1757->1758 1759 162ba85-162baa5 1758->1759 1760 162ba4e-162ba6e 1758->1760 1763 162baa7 1759->1763 1764 162baad-162baaf 1759->1764 1761 162ba70-162ba72 1760->1761 1762 162ba74-162ba76 1760->1762 1761->1762 1766 162ba78 1761->1766 1767 162ba7d-162ba7f 1762->1767 1768 162bab1 1763->1768 1769 162baa9-162baab 1763->1769 1765 162bab6-162bab8 1764->1765 1770 162babe-162bade 1765->1770 1771 162bb4f-162bc0c 1765->1771 1766->1767 1767->1759 1772 162bb1b-162bb48 1767->1772 1768->1765 1769->1764 1769->1768 1773 162bae0 1770->1773 1774 162bae6-162bae8 1770->1774 1785 162bc13-162bc40 1771->1785 1772->1771 1776 162bae2-162bae4 1773->1776 1777 162baea 1773->1777 1778 162baef-162baf1 1774->1778 1776->1774 1776->1777 1777->1778 1778->1771 1780 162baf3-162baf7 1778->1780 1782 162bb03-162bb07 1780->1782 1783 162baf9-162bafd 1780->1783 1786 162bb13-162bb1a 1782->1786 1787 162bb09-162bb0d 1782->1787 1783->1782 1783->1785 1789 162bc47-162bd35 1785->1789 1787->1786 1787->1789 1824 162be74-162bedc 1789->1824 1825 162bd3b-162bd71 1789->1825 1830 162bd73 1825->1830 1831 162bd79-162bd7b 1825->1831 1832 162bd75-162bd77 1830->1832 1833 162bd7d 1830->1833 1834 162bd82-162bd84 1831->1834 1832->1831 1832->1833 1833->1834 1836 162bd86-162bdac 1834->1836 1837 162bdae-162bddf 1834->1837 1841 162bde3-162be1f 1836->1841 1837->1841 1845 162be21-162be25 1841->1845 1846 162be27 1841->1846 1847 162be2b-162be3a 1845->1847 1846->1847 1849 162be6a-162be71 1847->1849 1850 162be3c-162be62 1847->1850 1850->1849
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq$Hbq
                                                                                              • API String ID: 0-4081012451
                                                                                              • Opcode ID: 7376521beef417ea92c823919f480352d3c7ce4bd2c8d777c02cb7bcae00dba5
                                                                                              • Instruction ID: 671ca75dddc23d2b4ce16d12d9196991b6f5222d4a9b33f6eb039fc4a4a4bb4e
                                                                                              • Opcode Fuzzy Hash: 7376521beef417ea92c823919f480352d3c7ce4bd2c8d777c02cb7bcae00dba5
                                                                                              • Instruction Fuzzy Hash: B1D1BD36E006298FCB25CF69D84059EBBB2FF88311F258529D949AB351DB31AC46CF90
                                                                                              Function 057A412F Relevance: 2.7, Strings: 2, Instructions: 181COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1924 57a412f-57a4136 1925 57a413d-57a4142 1924->1925 1926 57a4149 1925->1926 1927 57a4144-57a4146 1925->1927 1928 57a414b-57a4162 1926->1928 1929 57a410f-57a4128 1926->1929 1927->1926 1931 57a4169-57a41b6 1928->1931 1932 57a4164-57a4166 1928->1932 1929->1924 1936 57a41b8-57a41bc 1931->1936 1937 57a41bd-57a41d5 1931->1937 1932->1931 1936->1937 1938 57a41dc-57a41e0 1937->1938 1939 57a41d7-57a41da 1937->1939 1941 57a41ea-57a41f3 1938->1941 1939->1938 1940 57a4240-57a4278 1939->1940 1949 57a4239-57a423d 1940->1949 1952 57a427a-57a42ab 1940->1952 1943 57a41fb-57a4207 1941->1943 1946 57a4238 1943->1946 1947 57a4209-57a4235 1943->1947 1946->1949 1947->1946 1959 57a4319-57a4324 1952->1959 1960 57a42ad-57a42de 1952->1960 1964 57a42ea-57a4311 1960->1964 1965 57a42e0-57a42e4 1960->1965 1964->1959 1965->1964
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 8cq$Hbq
                                                                                              • API String ID: 0-2316083856
                                                                                              • Opcode ID: dd7f01ea461cefca81c790d922345f595acc4c34639004a5a6b971032cb54f11
                                                                                              • Instruction ID: 9805a0e816e3656c0ed30b61d0fc0107132979f8d6cf26e5f122502f11ad9bd8
                                                                                              • Opcode Fuzzy Hash: dd7f01ea461cefca81c790d922345f595acc4c34639004a5a6b971032cb54f11
                                                                                              • Instruction Fuzzy Hash: 1E515B725093910FD716DB3CD85069A7FF2EFE2201F0449AFD089CB292DA649909C3B6
                                                                                              Function 0613B5F8 Relevance: 2.7, Strings: 2, Instructions: 154COMMON
                                                                                              Download Yara Rule

                                                                                              Control-flow Graph

                                                                                              • Executed
                                                                                              • Not Executed
                                                                                              control_flow_graph 1969 613b5f8-613b624 1972 613b626-613b64f 1969->1972 1973 613b654-613b659 1969->1973 1984 613b7c6-613b7d2 1972->1984 1974 613b667 1973->1974 1975 613b65b-613b665 1973->1975 1977 613b66c-613b66e 1974->1977 1975->1977 1978 613b670-613b694 1977->1978 1979 613b699-613b69e 1977->1979 1978->1984 1980 613b6a0-613b6aa 1979->1980 1981 613b6ac 1979->1981 1983 613b6b1-613b6b3 1980->1983 1981->1983 1986 613b6b5-613b6d9 1983->1986 1987 613b6de-613b6e7 1983->1987 1986->1984 1990 613b6ee-613b6f0 1987->1990 1991 613b6f2-613b701 1990->1991 1992 613b706-613b73e 1990->1992 1991->1984 1997 613b740 1992->1997 1998 613b746-613b748 1992->1998 2000 613b742-613b744 1997->2000 2001 613b74a 1997->2001 2002 613b74f-613b751 1998->2002 2000->1998 2000->2001 2001->2002 2003 613b753-613b7bf 2002->2003 2004 613b7c1 2002->2004 2003->1984 2004->1984
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4c^q$4c^q
                                                                                              • API String ID: 0-2055720093
                                                                                              • Opcode ID: 705da9046484bb839aeab7d1948152590d842d7c741b170031315aba393398af
                                                                                              • Instruction ID: 1bed81654057aa16f047040f7dfda00a6844ea09ae4de6ff167564d78fc8958a
                                                                                              • Opcode Fuzzy Hash: 705da9046484bb839aeab7d1948152590d842d7c741b170031315aba393398af
                                                                                              • Instruction Fuzzy Hash: E251D471B002129FDF54CB39C980A6A77F6FF88340B148968D806EB295FB74ED05C7A0
                                                                                              Function 0613DA00 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $^q$$^q
                                                                                              • API String ID: 0-355816377
                                                                                              • Opcode ID: f299dd9379caf21a614d929ae2bff5575f7e9b5dad3aab72a6bf46c1ea8f8bfd
                                                                                              • Instruction ID: b9f2ad8e6130029b62639c5c9b23e1eadc7152d8ee38722bbd8fb1b80469ad3c
                                                                                              • Opcode Fuzzy Hash: f299dd9379caf21a614d929ae2bff5575f7e9b5dad3aab72a6bf46c1ea8f8bfd
                                                                                              • Instruction Fuzzy Hash: 76413170B102199FDB18DF69D854BAEBBE6FF8C301F108029E5059B369CF759C459B90
                                                                                              Function 057A7EB7 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: fcq$PL`q
                                                                                              • API String ID: 0-3429855202
                                                                                              • Opcode ID: 8f2b6f7a2601710da4d5f394b783e027c7a48a8ba1ce3ee5b3ea55ebd8194052
                                                                                              • Instruction ID: 29ebbf0c025044bb8737661a36c7441c29ab4797be8d4bea14feb049a0290f93
                                                                                              • Opcode Fuzzy Hash: 8f2b6f7a2601710da4d5f394b783e027c7a48a8ba1ce3ee5b3ea55ebd8194052
                                                                                              • Instruction Fuzzy Hash: 4C31B2313003021BD718AB369C51B3E2B97FBD1251F488D2DE9468F2D4DE70AD46D3A5
                                                                                              Function 06138AB0 Relevance: 2.6, Strings: 2, Instructions: 100COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Hbq$Hbq
                                                                                              • API String ID: 0-4258043069
                                                                                              • Opcode ID: d352bf02dfd6822d0766e05663e327e7eba0e42397fd7925dfedeea88edecdba
                                                                                              • Instruction ID: 60b548c02d4e00cb1c50e04d09fd4934d7546f6f7bd6f09b3c07c5fb1a546b49
                                                                                              • Opcode Fuzzy Hash: d352bf02dfd6822d0766e05663e327e7eba0e42397fd7925dfedeea88edecdba
                                                                                              • Instruction Fuzzy Hash: F3314C653083A24FC347AB39586056E7FA6EFE620070444EBD246CF396DE2C9C07C3A6
                                                                                              Function 057A7ED8 Relevance: 2.6, Strings: 2, Instructions: 84COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: fcq$PL`q
                                                                                              • API String ID: 0-3429855202
                                                                                              • Opcode ID: 484fd0727b43c09a08b316e38322e503f1a605368cbc2a8cc9a993e49f605a60
                                                                                              • Instruction ID: 23c6973c327fa12463c4b91dc73a41d5c96edc03b91764c4dfa426e7ea0711b3
                                                                                              • Opcode Fuzzy Hash: 484fd0727b43c09a08b316e38322e503f1a605368cbc2a8cc9a993e49f605a60
                                                                                              • Instruction Fuzzy Hash: B6217F303003021BE718AA36AC51B3F2697FBE0291F588D2CE9068F2D8DD71AD46D7A5
                                                                                              Function 06132F32 Relevance: 1.8, Strings: 1, Instructions: 513COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: d`q
                                                                                              • API String ID: 0-645810311
                                                                                              • Opcode ID: 0ef3f1a584dbe3788596d525ac4ef7495350f5918aed39640751ea72d31a3771
                                                                                              • Instruction ID: b7000e533101627a963e564869e297de15f7001a72dc5e77ee51760d67f2af08
                                                                                              • Opcode Fuzzy Hash: 0ef3f1a584dbe3788596d525ac4ef7495350f5918aed39640751ea72d31a3771
                                                                                              • Instruction Fuzzy Hash: C9224A34A00205DFDB18DFA9E994BAEB7B6FF88300F10815AE9059B394DB35AC45CF95
                                                                                              Function 06134308 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq
                                                                                              • API String ID: 0-149360118
                                                                                              • Opcode ID: 6d42f9d684f0580b6192c9374400a304e8f1d95a2f0c5d133c811d24667e7915
                                                                                              • Instruction ID: f275f08a4c30c422b292ff0bcce77426cc65eeb8aa3583aa0da827bfdad79e3e
                                                                                              • Opcode Fuzzy Hash: 6d42f9d684f0580b6192c9374400a304e8f1d95a2f0c5d133c811d24667e7915
                                                                                              • Instruction Fuzzy Hash: 51F1AE70B006259FDB54DF69C480A6ABBF2FF89314B148669D42ADB391DB30FC42CB94
                                                                                              Function 0799051A Relevance: 1.6, APIs: 1, Instructions: 71libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(00000000,?,?), ref: 079905CE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3121220602.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_7990000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: bc46fbf36c4902739b81e78e2924042326adb8f2774f4df30f7d48847d906fc5
                                                                                              • Instruction ID: b7faa0431d21a435a7e6c284d88f1c8c90eb337a813fc36717cdc5f5e37dc6d9
                                                                                              • Opcode Fuzzy Hash: bc46fbf36c4902739b81e78e2924042326adb8f2774f4df30f7d48847d906fc5
                                                                                              • Instruction Fuzzy Hash: FB2166B180435A9FCB11CFAAC844A9EFFF8EF49310F15816AD458A7241C7749944CFA2
                                                                                              Function 07990960 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3121220602.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_7990000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: dfa7b8e6ae7ad039be385a098ce11dedc5f7e46d960ccc0a2f6023717df47782
                                                                                              • Instruction ID: fe24f1df39ca62fe37b98d65d5c32883f4c964e333924fe0e3d269abb8c06fbf
                                                                                              • Opcode Fuzzy Hash: dfa7b8e6ae7ad039be385a098ce11dedc5f7e46d960ccc0a2f6023717df47782
                                                                                              • Instruction Fuzzy Hash: B021ACB180538A8FDB11CFA9C8447DEBFF0AF49310F15449AD069E7291C738A945CFA1
                                                                                              Function 0162A920 Relevance: 1.6, Strings: 1, Instructions: 313COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq
                                                                                              • API String ID: 0-149360118
                                                                                              • Opcode ID: 1c56c38fb83a144381bb11d971beeaf88b5d5ef6c9e79b79ec73e0ba4dac3a16
                                                                                              • Instruction ID: d5038762a770a4f2908b415c68c43ca2d65766d898e21ff2718165d8db3e4c3e
                                                                                              • Opcode Fuzzy Hash: 1c56c38fb83a144381bb11d971beeaf88b5d5ef6c9e79b79ec73e0ba4dac3a16
                                                                                              • Instruction Fuzzy Hash: 00A10371B046658FC705DB6CC85066EBBE2EFD1314B28C4BAD609DB782CA79DC06CB94
                                                                                              Function 07990550 Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(00000000,?,?), ref: 079905CE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3121220602.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_7990000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: f5581ca01b42c04e48981b9476ab0e4bf4409f7006cb763de976fa58c3d6dd60
                                                                                              • Instruction ID: 2630297701f79109e52bf76bd9263a017433cd4b8006c6c77f56d610e1f16ccd
                                                                                              • Opcode Fuzzy Hash: f5581ca01b42c04e48981b9476ab0e4bf4409f7006cb763de976fa58c3d6dd60
                                                                                              • Instruction Fuzzy Hash: E62127B1D1021A9FCB10CF9ED844A9EFBF4FF48314F10812AE819A7240D374AA54CFA5
                                                                                              Function 07990558 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • LoadLibraryExW.KERNEL32(00000000,?,?), ref: 079905CE
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3121220602.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_7990000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID: LibraryLoad
                                                                                              • String ID:
                                                                                              • API String ID: 1029625771-0
                                                                                              • Opcode ID: b3bd3bdfc8023256c6beaf53ed6f47fbc39419f67b8a11c767a0bd5dd8b50164
                                                                                              • Instruction ID: e3f74aec716ae6662c31f25efb52ce5e4733e444fb06dfe0a770bea639744127
                                                                                              • Opcode Fuzzy Hash: b3bd3bdfc8023256c6beaf53ed6f47fbc39419f67b8a11c767a0bd5dd8b50164
                                                                                              • Instruction Fuzzy Hash: 05211AB1D0061A9FDB10DF9ED444A9EFBF8FB48314F10812AD919A7340D774A954CFA5
                                                                                              Function 06132121 Relevance: 1.6, Strings: 1, Instructions: 304COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: fcq
                                                                                              • API String ID: 0-2768158334
                                                                                              • Opcode ID: fdc97ad930b0b6663098e06c1dccdbd36843fd9b8651088ebd91fffb89a0cf11
                                                                                              • Instruction ID: 9fe22d55074859e64398abdabc42a28ce2df8f677c62e79ec658eb0a17dae9b1
                                                                                              • Opcode Fuzzy Hash: fdc97ad930b0b6663098e06c1dccdbd36843fd9b8651088ebd91fffb89a0cf11
                                                                                              • Instruction Fuzzy Hash: 8EB1DF30B053059FD718EB64D940BAA7BF6EBC5704F14846AE406CB385DB36ED46CB61
                                                                                              Function 07990988 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3121220602.0000000007990000.00000040.00000800.00020000.00000000.sdmp, Offset: 07990000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_7990000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID: FreeLibrary
                                                                                              • String ID:
                                                                                              • API String ID: 3664257935-0
                                                                                              • Opcode ID: 5c7776e6c1ed28ea6718d70f327f44a1fdab9ee7a24546590467e8a2b1240868
                                                                                              • Instruction ID: bc1d7e0fdf759ae20a1a1cdca409fabeb49c8452d33a773442042f6decb6f1a2
                                                                                              • Opcode Fuzzy Hash: 5c7776e6c1ed28ea6718d70f327f44a1fdab9ee7a24546590467e8a2b1240868
                                                                                              • Instruction Fuzzy Hash: FD1125B18003498FDB10DF9AC445BDEBBF4EF48324F20842AD569A7241D778A944CFA5
                                                                                              Function 0179A98C Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 0179B85D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3090259006.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1790000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalMemoryStatus
                                                                                              • String ID:
                                                                                              • API String ID: 1890195054-0
                                                                                              • Opcode ID: b9d09979e3d08e530c15a053b5310483c02d669789c62a41c577c74b66cd3a4a
                                                                                              • Instruction ID: 3f2103eca00c0018ca170d5b4a4fd3743e7f2c9f39b7a41c196e6023c8e0e68c
                                                                                              • Opcode Fuzzy Hash: b9d09979e3d08e530c15a053b5310483c02d669789c62a41c577c74b66cd3a4a
                                                                                              • Instruction Fuzzy Hash: BC11E0B1C047488FCB20DF9AE884B9EFBF4EB48310F10846AE519A7200D374A544CFA5
                                                                                              Function 0179B7F8 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              APIs
                                                                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 0179B85D
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3090259006.0000000001790000.00000040.00000800.00020000.00000000.sdmp, Offset: 01790000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1790000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID: GlobalMemoryStatus
                                                                                              • String ID:
                                                                                              • API String ID: 1890195054-0
                                                                                              • Opcode ID: 74c7503aa6a5cbdd265c86087c3baac86c3787367274fe77292ab1acfe1617d7
                                                                                              • Instruction ID: b1d1cd10634b80e4eeb35f6d8f6085fba8478d5bd554db0dfb566b9d8547df08
                                                                                              • Opcode Fuzzy Hash: 74c7503aa6a5cbdd265c86087c3baac86c3787367274fe77292ab1acfe1617d7
                                                                                              • Instruction Fuzzy Hash: A111F2B5C006498ECB14DF9AE545B9EFBF4AB48310F10C45AD819B7210D374A544CFA5
                                                                                              Function 057A9A40 Relevance: 1.5, Strings: 1, Instructions: 230COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq
                                                                                              • API String ID: 0-149360118
                                                                                              • Opcode ID: 6139998ca2c8747f1fdc85caadd3f8e680604e7eba87093534904c2faa204284
                                                                                              • Instruction ID: 0d6f99212a488de046a8e27d98e84009315b4cad707d25c58d70a8a3c8af8ec8
                                                                                              • Opcode Fuzzy Hash: 6139998ca2c8747f1fdc85caadd3f8e680604e7eba87093534904c2faa204284
                                                                                              • Instruction Fuzzy Hash: E091B031B002159FCB19DF69D894AAEBBF6FF88300F148629E5069B391DB34EC45CB91
                                                                                              Function 057A279A Relevance: 1.5, Strings: 1, Instructions: 226COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: LR^q
                                                                                              • API String ID: 0-2625958711
                                                                                              • Opcode ID: b82e9d844049a7c39aefd49fa9d951de680d0ec6a2ea68756d0dc237b4a36c3c
                                                                                              • Instruction ID: 39d37d969f55929ccee5349fa0c522eb7ff667b2ee882d3e85cf5b243b62fbaf
                                                                                              • Opcode Fuzzy Hash: b82e9d844049a7c39aefd49fa9d951de680d0ec6a2ea68756d0dc237b4a36c3c
                                                                                              • Instruction Fuzzy Hash: AFB10934A21205CFC709EF79F8899AD7BB2FF8A3027508569E506AB350CB356D42DF64
                                                                                              Function 057A27A8 Relevance: 1.5, Strings: 1, Instructions: 224COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: LR^q
                                                                                              • API String ID: 0-2625958711
                                                                                              • Opcode ID: cca35a271cc675d246f4452d66eb3dd0c64dce1143a64de0917f7d6a426b83d2
                                                                                              • Instruction ID: 6ccebf8b0d6329271c02a6194554604818b677140de09612b113185c44cec5d8
                                                                                              • Opcode Fuzzy Hash: cca35a271cc675d246f4452d66eb3dd0c64dce1143a64de0917f7d6a426b83d2
                                                                                              • Instruction Fuzzy Hash: 5AB10A34A21205CFC709EF79F8998AD7BB2FF8A3027508569E506AB354CB356C42DF64
                                                                                              Function 057A1CF0 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: {7m^
                                                                                              • API String ID: 0-4128984248
                                                                                              • Opcode ID: ed5da1ce199493c5bb1d5c5acb5b3bf8f5cdf98161d41eb624fc68bd6e389f56
                                                                                              • Instruction ID: 5b4f421472663a9e703de9168aa2692a23bcef4b9a2b20e6297ef6b2bd495197
                                                                                              • Opcode Fuzzy Hash: ed5da1ce199493c5bb1d5c5acb5b3bf8f5cdf98161d41eb624fc68bd6e389f56
                                                                                              • Instruction Fuzzy Hash: D9711071A043A18FDB12DB2CE850A997BF2FF95311F448AAAE4059F351DB30AC44CBE1
                                                                                              Function 057A2F71 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: LR^q
                                                                                              • API String ID: 0-2625958711
                                                                                              • Opcode ID: 00fd7d7765470006b7e8f72f346e8cbde4e4b264a0b3f6d59fb4f865ce03f2d8
                                                                                              • Instruction ID: d4cf92a788683a8efe4f784ebeea4592437826bc1a693d5a2304c8fff3a19031
                                                                                              • Opcode Fuzzy Hash: 00fd7d7765470006b7e8f72f346e8cbde4e4b264a0b3f6d59fb4f865ce03f2d8
                                                                                              • Instruction Fuzzy Hash: A391E575A10205CFC709EF79F898AAD7BB2FB89312B50856DE4069B350DB35AC42DF60
                                                                                              Function 057A2F80 Relevance: 1.4, Strings: 1, Instructions: 197COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: LR^q
                                                                                              • API String ID: 0-2625958711
                                                                                              • Opcode ID: b15e58a3f344ba6236fc01a22831bbfef503b1be53aa55183268ac7ef5c7c024
                                                                                              • Instruction ID: da2d5dd4be00ce50c83eb180caa94d2cbf4c8be2770fb140801839cee6b330dd
                                                                                              • Opcode Fuzzy Hash: b15e58a3f344ba6236fc01a22831bbfef503b1be53aa55183268ac7ef5c7c024
                                                                                              • Instruction Fuzzy Hash: EF91E574A10205CFC709EF79F898AAD7BB2FB89302B50856CE4069B350DB35AC42DF60
                                                                                              Function 0613879A Relevance: 1.4, Strings: 1, Instructions: 170COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4c^q
                                                                                              • API String ID: 0-396817635
                                                                                              • Opcode ID: 641bea0fa19cbf3e8a6571b6dbceb70d6f9f678842a8806aab07262bd8c3c115
                                                                                              • Instruction ID: 091e9fd32aca2ce472ecc0e009a5c2a19587ba6b10e04627c5b5f33d22ca069a
                                                                                              • Opcode Fuzzy Hash: 641bea0fa19cbf3e8a6571b6dbceb70d6f9f678842a8806aab07262bd8c3c115
                                                                                              • Instruction Fuzzy Hash: 90515C70A003098FDB58DFA9C4809AEBBF2BFC9344F158559E806AB344DB71AC46CB55
                                                                                              Function 061387A8 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: 4c^q
                                                                                              • API String ID: 0-396817635
                                                                                              • Opcode ID: 2a2ddf4c0cf2186baeba828c498ff381da11425650e71f6e8a7d37b2a5d46545
                                                                                              • Instruction ID: 9f5d49ab225706799d5bacbf92b40313ef24f1a683c0d55f874dcaf45588d452
                                                                                              • Opcode Fuzzy Hash: 2a2ddf4c0cf2186baeba828c498ff381da11425650e71f6e8a7d37b2a5d46545
                                                                                              • Instruction Fuzzy Hash: 8C514C70B003199FD758DFA9C4809AEBBF2BFC9344F148569E806AB344DB71AC46CB55
                                                                                              Function 01620E98 Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq
                                                                                              • API String ID: 0-149360118
                                                                                              • Opcode ID: d366a8e5a9b4479abd91d1efa9f27176407a5e8a8e573bdc189a1f8f64e885da
                                                                                              • Instruction ID: 49d22f02caf46cd520e083db299f9ae822b6351a77f5c12db27e7f3953bbc566
                                                                                              • Opcode Fuzzy Hash: d366a8e5a9b4479abd91d1efa9f27176407a5e8a8e573bdc189a1f8f64e885da
                                                                                              • Instruction Fuzzy Hash: D6518E74B005658FCB05EFA8D814AAEBBF2FF89300F104569E606AB390DF749D46CB95
                                                                                              Function 057A2BC7 Relevance: 1.4, Strings: 1, Instructions: 159COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: LR^q
                                                                                              • API String ID: 0-2625958711
                                                                                              • Opcode ID: b5e780ac89e132e47146fe96059e49dd350d0625b3510e55f4c0e52060ff126d
                                                                                              • Instruction ID: da20870dd2ee60eff7d19717a714ce6b6f9d49ea80f97494d6b7fba71cebfefb
                                                                                              • Opcode Fuzzy Hash: b5e780ac89e132e47146fe96059e49dd350d0625b3510e55f4c0e52060ff126d
                                                                                              • Instruction Fuzzy Hash: 70710C34A10205CFCB08EF69F999AADBBB2FF99301B50856DE405AB354DB356C42DF50
                                                                                              Function 057A2BD8 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: LR^q
                                                                                              • API String ID: 0-2625958711
                                                                                              • Opcode ID: b79557bcf199b0d88e84194f18fce0ddbd42fd98e4abc1d76cdbdee0800bac89
                                                                                              • Instruction ID: 0fe98bf123fb1318100d875d0bc7c0c7198ce1948f104da0777fce8289ae6015
                                                                                              • Opcode Fuzzy Hash: b79557bcf199b0d88e84194f18fce0ddbd42fd98e4abc1d76cdbdee0800bac89
                                                                                              • Instruction Fuzzy Hash: 4D71FB74A10209CFCB08EF69F898AADBBB2FF99301B50856DE405AB354DB356C46DF50
                                                                                              Function 01624867 Relevance: 1.4, Strings: 1, Instructions: 150COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: k5
                                                                                              • API String ID: 0-881582803
                                                                                              • Opcode ID: 7f412335890d96fab8a42ac19fe5a8d721ed706477ab4372c0099afdf638b421
                                                                                              • Instruction ID: 39a0aa5ecebc0ca03e6ae037ec919b97570e40b854982ecde8dcffff2a865e98
                                                                                              • Opcode Fuzzy Hash: 7f412335890d96fab8a42ac19fe5a8d721ed706477ab4372c0099afdf638b421
                                                                                              • Instruction Fuzzy Hash: 5B516D74A006198FDB15DF68C484A9EBBF2FF88320F14C559D815AB3A5DB30AC85CFA1
                                                                                              Function 016272B8 Relevance: 1.4, Strings: 1, Instructions: 142COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq
                                                                                              • API String ID: 0-149360118
                                                                                              • Opcode ID: 611ffb7ab0235dd9541670fab7088190e307c1c24efba811852aed099c9ba062
                                                                                              • Instruction ID: 5545520a181875fa71a20957f13cb971f560556a039de8b7ddc6f3df70d5ab6d
                                                                                              • Opcode Fuzzy Hash: 611ffb7ab0235dd9541670fab7088190e307c1c24efba811852aed099c9ba062
                                                                                              • Instruction Fuzzy Hash: 4F416131A08BA28FC706877C8C55A5E7FA2BFA6214F14459DDA018B392C7759C01CFD5
                                                                                              Function 057AFC8B Relevance: 1.4, Strings: 1, Instructions: 140COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: xbq
                                                                                              • API String ID: 0-73991425
                                                                                              • Opcode ID: 339e937ac887ec692e25ef35377d498eb38a87725e0f35d86b52280d247d55c0
                                                                                              • Instruction ID: 83aa759700ea2f4afd925a1322ba5c4658035e9c8b016325a524a31476934172
                                                                                              • Opcode Fuzzy Hash: 339e937ac887ec692e25ef35377d498eb38a87725e0f35d86b52280d247d55c0
                                                                                              • Instruction Fuzzy Hash: 5E519D352002059FDB15DF68C850BAE7BE2FF85314F14856DE90A9B7A6CB32EC42CB90
                                                                                              Function 057A9760 Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: v7m^
                                                                                              • API String ID: 0-983444487
                                                                                              • Opcode ID: 9cd8501abfe410d681b3e44dfea7e86cf8713e85c6adb3505d774db4469f4121
                                                                                              • Instruction ID: 0bbf8177310ddf2e9be96a9fe1a3cc9a4ae6517c584fda402edad78795900e55
                                                                                              • Opcode Fuzzy Hash: 9cd8501abfe410d681b3e44dfea7e86cf8713e85c6adb3505d774db4469f4121
                                                                                              • Instruction Fuzzy Hash: 6B516F31A04306DFDB14DF69D484A9EBBF2FF84310F048669E51AAB350EB74E845CB90
                                                                                              Function 057A9750 Relevance: 1.4, Strings: 1, Instructions: 112COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: v7m^
                                                                                              • API String ID: 0-983444487
                                                                                              • Opcode ID: 21d3450232a04c9d9faac803c74ad14550e46c8dcb3e6be13982cfc73a661f7d
                                                                                              • Instruction ID: d7ae9d13c76aaeef83c9e3656dec15804733cc4db79018fc1a69b8fff146e81e
                                                                                              • Opcode Fuzzy Hash: 21d3450232a04c9d9faac803c74ad14550e46c8dcb3e6be13982cfc73a661f7d
                                                                                              • Instruction Fuzzy Hash: 83416C36A04305DFCB14DF69D484AADBBF2FF84310F04866AE516AB350EB74E944CBA0
                                                                                              Function 057AA9C5 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: bq
                                                                                              • API String ID: 0-3837038491
                                                                                              • Opcode ID: ba52f0b2679c8b48c497e975c8cac40fd96189322acaf0539621fea575bd10ec
                                                                                              • Instruction ID: 54a48af7a10a7cc7bc9bd73575a944db38da64d4fcd285618d4ffc46fcfc50c6
                                                                                              • Opcode Fuzzy Hash: ba52f0b2679c8b48c497e975c8cac40fd96189322acaf0539621fea575bd10ec
                                                                                              • Instruction Fuzzy Hash: 30411470E002198FCB54DF69D844BAEBBF2FB88310F50466AD449AB344DB346D86CF55
                                                                                              Function 057A2230 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Hbq
                                                                                              • API String ID: 0-1245868
                                                                                              • Opcode ID: 513fc51f4a416b43d1135a8acdcdea616b8b40ff7bb02f7a98dd554e2b061637
                                                                                              • Instruction ID: 697b16cbe90e7736b34287696fb4fbbcc9d2cbf45d590b5f175b07a293005d31
                                                                                              • Opcode Fuzzy Hash: 513fc51f4a416b43d1135a8acdcdea616b8b40ff7bb02f7a98dd554e2b061637
                                                                                              • Instruction Fuzzy Hash: 39412674A143058FC709EF78E84096E7BF6FF95300B10856ED14A9B351EB34AD06CBA5
                                                                                              Function 057A76DA Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (t7p
                                                                                              • API String ID: 0-3610790217
                                                                                              • Opcode ID: 093347d0ce20ed94e480c50d658058c7fda6c8ab2a3a7cd832cf687f51c22486
                                                                                              • Instruction ID: 0d602b361b267c450e05596d8cbb583d20640013b966de375b5a1d4046679552
                                                                                              • Opcode Fuzzy Hash: 093347d0ce20ed94e480c50d658058c7fda6c8ab2a3a7cd832cf687f51c22486
                                                                                              • Instruction Fuzzy Hash: A4418E70A0020A9FCF05EFA8EC94A9DBBF6FF96201F50456DD105AB354DB346E05DBA0
                                                                                              Function 01624498 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $.bq
                                                                                              • API String ID: 0-1276036112
                                                                                              • Opcode ID: 722a15fae9343111ebfb4b4d953205c137e54fada635a7dcc0a8e77f3fa1ce17
                                                                                              • Instruction ID: f06c0dcadf9e00a007cb4975dec9226a9b853199a59d5e205ad1afad9bc810a0
                                                                                              • Opcode Fuzzy Hash: 722a15fae9343111ebfb4b4d953205c137e54fada635a7dcc0a8e77f3fa1ce17
                                                                                              • Instruction Fuzzy Hash: E6319C71B003629FCB05DF7EA8945AE7BE2EB88241700866AE945DF345EF64DC048BE5
                                                                                              Function 057A7730 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (t7p
                                                                                              • API String ID: 0-3610790217
                                                                                              • Opcode ID: f7c2d608e473f6bd9f7d21ea852067f59fc9417cac3efdd644e47e2760d1547f
                                                                                              • Instruction ID: 19c1db5ad2e18145e67b5f25db4e2a5945bc303daeabf180ece4b074da7d69a4
                                                                                              • Opcode Fuzzy Hash: f7c2d608e473f6bd9f7d21ea852067f59fc9417cac3efdd644e47e2760d1547f
                                                                                              • Instruction Fuzzy Hash: 7E319071A0021A9FCF05EFA8EC90ADD7BB2FF95201F50466DD105AB354EB356E05CBA0
                                                                                              Function 0613B429 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Hbq
                                                                                              • API String ID: 0-1245868
                                                                                              • Opcode ID: fdadc2578bf2c1b1576349e96265504490e3453f0a40f0133d9ea1f1a3eac727
                                                                                              • Instruction ID: 04325deefde0c6c880f01a475cc7cef09965a648cc3af58f3a5434245720c376
                                                                                              • Opcode Fuzzy Hash: fdadc2578bf2c1b1576349e96265504490e3453f0a40f0133d9ea1f1a3eac727
                                                                                              • Instruction Fuzzy Hash: 4B414A74A042298BDB14DF64C955BAEBBF2FF88311F24842DE40AA7390DB359D41CF64
                                                                                              Function 016244A8 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: $.bq
                                                                                              • API String ID: 0-1276036112
                                                                                              • Opcode ID: f83ff6f66f73e1de2955e9042a671f3b28d2e8462c390772360dfb0e79c89b42
                                                                                              • Instruction ID: bb620ce5bfa8b7ff759748925c4a28752c267ea2176efa480c786bb007e82c39
                                                                                              • Opcode Fuzzy Hash: f83ff6f66f73e1de2955e9042a671f3b28d2e8462c390772360dfb0e79c89b42
                                                                                              • Instruction Fuzzy Hash: 63318D71B007269B8B05DF7EA89456F7BE6FB882417008A2AE905DF345EF74DC448BE4
                                                                                              Function 01624ED0 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq
                                                                                              • API String ID: 0-149360118
                                                                                              • Opcode ID: 5197b9e8170a74b84030cb0aee25ee846a6295e1f9cb0f43161e0acb5d65133f
                                                                                              • Instruction ID: 177ea013cd9884fc63e056c19f80675e06b96cba1da551ede7f6318d488267e1
                                                                                              • Opcode Fuzzy Hash: 5197b9e8170a74b84030cb0aee25ee846a6295e1f9cb0f43161e0acb5d65133f
                                                                                              • Instruction Fuzzy Hash: 26214270A003104FC721AB7AD80469EBBF2EBD4311F00052DD64A9B380EB756D0A8BD1
                                                                                              Function 057A20C2 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Te^q
                                                                                              • API String ID: 0-671973202
                                                                                              • Opcode ID: 2f9c3f6d99cef5533b9a72a0576db40b88fbb358790ede7f624ac5e19106b1f4
                                                                                              • Instruction ID: b5051adca602ddb6756065778b86ee2a6d7f5acb4f3280be2ba9f7ad09cd6cd7
                                                                                              • Opcode Fuzzy Hash: 2f9c3f6d99cef5533b9a72a0576db40b88fbb358790ede7f624ac5e19106b1f4
                                                                                              • Instruction Fuzzy Hash: 9931B475B202159FCB18DF68D494EAD7BB2FF88310F108159E906AB391CF719C01DB90
                                                                                              Function 057A8950 Relevance: 1.3, Strings: 1, Instructions: 79COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (bq
                                                                                              • API String ID: 0-149360118
                                                                                              • Opcode ID: 2ec7ddfc9680f377b488e2df517570eb0387cdccfd56a04fa40db1c52dd5beec
                                                                                              • Instruction ID: c9d522522ded8af7979d79b00cded705d926a58036ef8e912230a5978799877e
                                                                                              • Opcode Fuzzy Hash: 2ec7ddfc9680f377b488e2df517570eb0387cdccfd56a04fa40db1c52dd5beec
                                                                                              • Instruction Fuzzy Hash: D031AC30A083458FC785DF78D8506AEBBF2AF86310F1485AED449DB296DB348946CB92
                                                                                              Function 057A7760 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (t7p
                                                                                              • API String ID: 0-3610790217
                                                                                              • Opcode ID: b24b78595f0211d3420684c85eb4e2a5d5df63e3ac3bbc8e222882901e8ccb88
                                                                                              • Instruction ID: fff28544be2529de7d37233b299f10155df647ea4e2e5b89a394429843222430
                                                                                              • Opcode Fuzzy Hash: b24b78595f0211d3420684c85eb4e2a5d5df63e3ac3bbc8e222882901e8ccb88
                                                                                              • Instruction Fuzzy Hash: 76316F70A0021A9FCF04EFA8EC949DE7BB6FF99201F50456DD105AB354DB352E45CBA4
                                                                                              Function 0613E438 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Te^q
                                                                                              • API String ID: 0-671973202
                                                                                              • Opcode ID: be3e070de6ffa6c3eb19498470549e1be84ffa2ffb45b4236e3e2d31f58600c5
                                                                                              • Instruction ID: f72e6bfdc9e8a42dfa0a1141ecf377537d24b5f123fa0f1853af7148af5af5be
                                                                                              • Opcode Fuzzy Hash: be3e070de6ffa6c3eb19498470549e1be84ffa2ffb45b4236e3e2d31f58600c5
                                                                                              • Instruction Fuzzy Hash: 79215E30B102149FDB18DB69D498B9EBBF2FB88710F50406AE502AB3A0CB715C45CB90
                                                                                              Function 0613E448 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: Te^q
                                                                                              • API String ID: 0-671973202
                                                                                              • Opcode ID: 5b33c7b36d586a88ac89365bdccdba9b243619b3528b6263499323931eafab19
                                                                                              • Instruction ID: 8605b8a4a2aabfc54939baaff065da5b1575b0da550371e771ad15f8539fbc33
                                                                                              • Opcode Fuzzy Hash: 5b33c7b36d586a88ac89365bdccdba9b243619b3528b6263499323931eafab19
                                                                                              • Instruction Fuzzy Hash: BA111C30B102149FDB589B69D498BAEBBB2FB89B10F50406AE506AB3A0CB715C45CB90
                                                                                              Function 057A2E78 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: fcq
                                                                                              • API String ID: 0-2768158334
                                                                                              • Opcode ID: 43ecb8332a48478871ffbe3d64f867ec44a2adf420c4540b78ef9ab15756c4aa
                                                                                              • Instruction ID: 226070d47cc159ad9849b44bc7fb8854d833bc40e025e29c682f77b351d26812
                                                                                              • Opcode Fuzzy Hash: 43ecb8332a48478871ffbe3d64f867ec44a2adf420c4540b78ef9ab15756c4aa
                                                                                              • Instruction Fuzzy Hash: 0E0188313007154FC718DF2AE840E5AB7E7FFD1251704896DE00A8B261DA70ED46CBA5
                                                                                              Function 057A2E88 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: fcq
                                                                                              • API String ID: 0-2768158334
                                                                                              • Opcode ID: 0511ba7b67d219a2798e014cd0a28f36a87fc0b188d05abca12a6c483114f88e
                                                                                              • Instruction ID: f03e1101aa47575e88f969b2724e5caea06566763f65c8e5ff2ee2443f01cf35
                                                                                              • Opcode Fuzzy Hash: 0511ba7b67d219a2798e014cd0a28f36a87fc0b188d05abca12a6c483114f88e
                                                                                              • Instruction Fuzzy Hash: 450162313007158FC718DB2AE840E1AB7E7FFD1252704896EE10A8B265DE70ED868B95
                                                                                              Function 057ABF7A Relevance: 1.3, Strings: 1, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (:`q
                                                                                              • API String ID: 0-801182342
                                                                                              • Opcode ID: 22fd2ce21e2eb424e103f9b305aa7cb026004d8917f226974223f4279f854b8e
                                                                                              • Instruction ID: 46130d8f4e9b9f8572b6af785f5b57c61fc3aef5ee7e26c18094f27b03b9a331
                                                                                              • Opcode Fuzzy Hash: 22fd2ce21e2eb424e103f9b305aa7cb026004d8917f226974223f4279f854b8e
                                                                                              • Instruction Fuzzy Hash: C9F096727002105FC714DA5EE894B6ABBEAFBD4252B04852EE509CB300DF749C058B90
                                                                                              Function 01629D08 Relevance: 1.3, Strings: 1, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: a
                                                                                              • API String ID: 0-3904355907
                                                                                              • Opcode ID: e808f75b481d3130894d7a4ff3730dd6c30c8917fd33e1cffc54a7486fa99f14
                                                                                              • Instruction ID: 618eeba818afbe28830ccd7fa9f8eec74460ea1d621a4eb8ba451e55372c0854
                                                                                              • Opcode Fuzzy Hash: e808f75b481d3130894d7a4ff3730dd6c30c8917fd33e1cffc54a7486fa99f14
                                                                                              • Instruction Fuzzy Hash: DCD05B7270D7904FD70A961DA830199BBD39FD6211F5A409FD084C766ADF644C1583E6
                                                                                              Function 016275F0 Relevance: .8, Instructions: 839COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4436e560326974b98d16ddb8be70aa85d3854fef29ec162ac62e594ba004627c
                                                                                              • Instruction ID: d342161411cd545f416b976e83c06afbd8bf80621bbb8e085fa6565e4829bf4c
                                                                                              • Opcode Fuzzy Hash: 4436e560326974b98d16ddb8be70aa85d3854fef29ec162ac62e594ba004627c
                                                                                              • Instruction Fuzzy Hash: 65721B70E006298FDB65DF68C8547ADBAF2BF98300F5484A9D60AE7390DB349D81CF95
                                                                                              Function 01629D50 Relevance: .6, Instructions: 605COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 08728daf45f01abea8c1dd22d3041db89ec1aa7f0589000ba0868856c05f0290
                                                                                              • Instruction ID: 2dfae3d9bd03b7a4b6081b083c4d1ca3ac547c1741607ce9093a21d80370c85f
                                                                                              • Opcode Fuzzy Hash: 08728daf45f01abea8c1dd22d3041db89ec1aa7f0589000ba0868856c05f0290
                                                                                              • Instruction Fuzzy Hash: 24326A31A006298FCB15CFACC9949ADBBB2FF84300F29C569D456AB746D774EC81CB94
                                                                                              Function 057A4D80 Relevance: .5, Instructions: 536COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2f052775c66a499af3cf1e4b44dfb4394407b6ee802ec707e35a8a1512f9b716
                                                                                              • Instruction ID: f98e908d208c0b055640139330c0957c9e7e733700f8585306a6b0e6d76cdbfd
                                                                                              • Opcode Fuzzy Hash: 2f052775c66a499af3cf1e4b44dfb4394407b6ee802ec707e35a8a1512f9b716
                                                                                              • Instruction Fuzzy Hash: C232E179A10104CFDB04CFA8D888E59BBB2FF88711F268195E905AF3A6CB71EC45DB40
                                                                                              Function 057AF650 Relevance: .5, Instructions: 512COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 38bb78511c1d9abdb779ab1bbc245266da3839d86892e63c84c99df74e951628
                                                                                              • Instruction ID: 424a3df27b91219b42ddac3f1fcca8e5ec6d2a6921281ecfb8665b9f3a101ff7
                                                                                              • Opcode Fuzzy Hash: 38bb78511c1d9abdb779ab1bbc245266da3839d86892e63c84c99df74e951628
                                                                                              • Instruction Fuzzy Hash: 7F121436A043568FCB15DF78C8506AEBBB2FFC5300F14CA6AD4599B255EB30E981CB91
                                                                                              Function 01627425 Relevance: .5, Instructions: 490COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6e94db591a8b0834363aa92e648edd43b94c959e5f0ee04bf3f816baa012f0e4
                                                                                              • Instruction ID: c59ae52c08563cfb5389fc24cbb4b04e55e6682e7402ff2d711e412d3f97120d
                                                                                              • Opcode Fuzzy Hash: 6e94db591a8b0834363aa92e648edd43b94c959e5f0ee04bf3f816baa012f0e4
                                                                                              • Instruction Fuzzy Hash: 1A124970E046298FDB25DBACCC94BADBBB2BF58310F1444AAD909A7351DB349D81CF91
                                                                                              Function 057A07B8 Relevance: .5, Instructions: 451COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d0fe80a09e23fdd68289a27d04ae6ad908b8a328fdb90b2b5966778c17a8fe85
                                                                                              • Instruction ID: 6b4e067c15fd07d4ae7ba7a2049b3f88061c56a13eb7ab38505c8804e51660fa
                                                                                              • Opcode Fuzzy Hash: d0fe80a09e23fdd68289a27d04ae6ad908b8a328fdb90b2b5966778c17a8fe85
                                                                                              • Instruction Fuzzy Hash: 3E023A74B00305DFCB0ADF68E8989AEBBB6FFA4310B948529E4056B364DF35AC159F50
                                                                                              Function 057A07C8 Relevance: .4, Instructions: 445COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5e4dded1e65102819df3c963498910ca24bebeb524522607a54513e87c86f837
                                                                                              • Instruction ID: 39fd08bf519324ac1b6df071eded72cec137ab741760aca910d3ac143befd4e2
                                                                                              • Opcode Fuzzy Hash: 5e4dded1e65102819df3c963498910ca24bebeb524522607a54513e87c86f837
                                                                                              • Instruction Fuzzy Hash: 64024A74B00305DFCB06DF68E8989AEBBB6FFA4310B948529E4056B364DF35AC159F50
                                                                                              Function 01627560 Relevance: .4, Instructions: 404COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 122a56a31c8c757cb91c0f5926276b90d1ce3a796a487d6bd700153a72e5134f
                                                                                              • Instruction ID: 2251076cd5f25b8bb5dedc96199f0640375357b4ef576497446809f5af5d1126
                                                                                              • Opcode Fuzzy Hash: 122a56a31c8c757cb91c0f5926276b90d1ce3a796a487d6bd700153a72e5134f
                                                                                              • Instruction Fuzzy Hash: EAF14970E00A298FDB25DBACCC94BACBBB2BB58310F5444A9D949E7351DB34AD81CF51
                                                                                              Function 061382F2 Relevance: .4, Instructions: 358COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9bced6f4213788d908044dba2a4568d2beaad74bc978f01a02f95ba12515edcb
                                                                                              • Instruction ID: 822106278275da0adb9477606b8b21a359e350a0d26481994f85b2e278231d67
                                                                                              • Opcode Fuzzy Hash: 9bced6f4213788d908044dba2a4568d2beaad74bc978f01a02f95ba12515edcb
                                                                                              • Instruction Fuzzy Hash: A5E15B74A10219DFCB59DF68D484A9DBBB6FF89310F10816AE809AB355DB30ED81CF90
                                                                                              Function 057A81A0 Relevance: .3, Instructions: 317COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 82a1b43b3c1ceedc9ac4fecd218548a1d3fbbc369e333d3364ce8e4acd111f24
                                                                                              • Instruction ID: ed65d761c9eca7d9662d36bd093cadec4d450203742388565425c2ffcb6d27dc
                                                                                              • Opcode Fuzzy Hash: 82a1b43b3c1ceedc9ac4fecd218548a1d3fbbc369e333d3364ce8e4acd111f24
                                                                                              • Instruction Fuzzy Hash: 21D19C71B002158FDB28DF69D854B6ABBF2FF84300F4485A9E4099B390DB74AD85DF91
                                                                                              Function 01623E80 Relevance: .3, Instructions: 307COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 88ddd8aed70672a6b514381ff3e8b15cb3e9a162330c0659a43c73697d8dd323
                                                                                              • Instruction ID: cfb54438edde493e38e83572cc9407b5c02ceee5e1ee27f643625589e67bbced
                                                                                              • Opcode Fuzzy Hash: 88ddd8aed70672a6b514381ff3e8b15cb3e9a162330c0659a43c73697d8dd323
                                                                                              • Instruction Fuzzy Hash: 85D12974B006148FCB09DFA8C4949ADBBF2FF89310B158199E9069B365DB35EC46CF91
                                                                                              Function 0162CCD1 Relevance: .3, Instructions: 274COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b72787c73c8d19e1c93b040faaede4f70c3f2573c033c6360fc4db18e217ddcd
                                                                                              • Instruction ID: 11d72fb1e77192a6850118edc1d0fe8c026f47d3a0885c235b5baa36bef0027c
                                                                                              • Opcode Fuzzy Hash: b72787c73c8d19e1c93b040faaede4f70c3f2573c033c6360fc4db18e217ddcd
                                                                                              • Instruction Fuzzy Hash: BEC18A74600A168FCB19CF58C9D09ADFBF5BF48304B99866EC4469B662D734F982CF90
                                                                                              Function 061308EA Relevance: .3, Instructions: 267COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5a9887be831bc79fc2f039b0dd3e24efce4f9ae1f52f390f14df066e9c4bfb02
                                                                                              • Instruction ID: 111e59424d7f534a4b0df16f8650dbcb79044ff63c0a89baae8ff9724a5792bf
                                                                                              • Opcode Fuzzy Hash: 5a9887be831bc79fc2f039b0dd3e24efce4f9ae1f52f390f14df066e9c4bfb02
                                                                                              • Instruction Fuzzy Hash: D8C11B34B012198FCB54DB28D898A9DBBF2FF88304F1481E9D90AAB355DB359D82DF51
                                                                                              Function 06137B84 Relevance: .3, Instructions: 260COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 176c66e49fe60a2052604f0823d3b9947522d860eb44b704f1201c63130450e0
                                                                                              • Instruction ID: a7f39fd5bac66a8ea1b95c6f55edb03126cf07b0feab7d85d27f09bc075cbbf2
                                                                                              • Opcode Fuzzy Hash: 176c66e49fe60a2052604f0823d3b9947522d860eb44b704f1201c63130450e0
                                                                                              • Instruction Fuzzy Hash: 87A17DB0E0021ACFDF94CFA9D8857EDBBF1AF48314F148529D81AE7294EB749845CB85
                                                                                              Function 0162C130 Relevance: .2, Instructions: 241COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 163cc7e28ec5348e3480e87f623dba325c9737b7587fec262fda8298268af129
                                                                                              • Instruction ID: 669ec0fbfe5e798a89f7c46d70e52f662cad6b994196b40abbf634e21fd8f36f
                                                                                              • Opcode Fuzzy Hash: 163cc7e28ec5348e3480e87f623dba325c9737b7587fec262fda8298268af129
                                                                                              • Instruction Fuzzy Hash: 1F91D330601A158FC319CF68C898A9DBBB2FF45315F5486A9E5168B7A1CB31ED86CF90
                                                                                              Function 06136F6E Relevance: .2, Instructions: 233COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 10dde24871b3876744fdde12ee44e46b8789a975cc2e3d905972b3dec21388ad
                                                                                              • Instruction ID: 0bcadd4855b51af0cf637e42e365215a4863e95ff22157e59c635b5b6f1ccb7f
                                                                                              • Opcode Fuzzy Hash: 10dde24871b3876744fdde12ee44e46b8789a975cc2e3d905972b3dec21388ad
                                                                                              • Instruction Fuzzy Hash: D6918BB0E00219CFDF54CFA8D99579DBBF2AF89314F148529E40AEB290EB749845CB85
                                                                                              Function 0162985A Relevance: .2, Instructions: 222COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4e274c78ff3fb923dd4c44685c09c59a620770df2882bf4f8e78475ebd6dc599
                                                                                              • Instruction ID: dc0aa517d97d0d57639111cfebce407a7652d0aaa9afacef46756a6a493067bb
                                                                                              • Opcode Fuzzy Hash: 4e274c78ff3fb923dd4c44685c09c59a620770df2882bf4f8e78475ebd6dc599
                                                                                              • Instruction Fuzzy Hash: 7D915B71600F218FC725CF29C894626B7F2BF95318F148A6DC89A8BB95D774E846CF84
                                                                                              Function 0613BED5 Relevance: .2, Instructions: 216COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f114739125839493c479c8c7180eaced7196ba702fc8b179de7b39e94de016de
                                                                                              • Instruction ID: 3399c73b4ee67bd779be9934433d4a3bdd1cf90d4dd737cbddf57a9041e64345
                                                                                              • Opcode Fuzzy Hash: f114739125839493c479c8c7180eaced7196ba702fc8b179de7b39e94de016de
                                                                                              • Instruction Fuzzy Hash: 37819B78B00215DFC758DB68E498A6E7BB6FF88701B148159E806EB364DB398D81CB91
                                                                                              Function 057A9BE8 Relevance: .2, Instructions: 202COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 787c12c136571f8d9b4d8dd87ce2a94b50541a689dbd80aa57df63ef3b3a9a36
                                                                                              • Instruction ID: 0461c9fbbf216a116714c9a9dd87fe08f163d741efe63ebbbb949a60b7b0672d
                                                                                              • Opcode Fuzzy Hash: 787c12c136571f8d9b4d8dd87ce2a94b50541a689dbd80aa57df63ef3b3a9a36
                                                                                              • Instruction Fuzzy Hash: 5B71AC36B00215DFDB18DF69E458AAEB7F6EF88710F108529E50AEB360DB349C41CB91
                                                                                              Function 057A4FCF Relevance: .2, Instructions: 196COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6577891d2aa94bfaa01e36945b87553e7a9a137c800b76e45bbc786bfe2cc1e7
                                                                                              • Instruction ID: 03cf3d423d79bcbcddbbb4e820fb387c362fd0f5ef60456645749d8f56584a1d
                                                                                              • Opcode Fuzzy Hash: 6577891d2aa94bfaa01e36945b87553e7a9a137c800b76e45bbc786bfe2cc1e7
                                                                                              • Instruction Fuzzy Hash: 8E81B07AB50104CFCB54CFA8D888D69B7B2FF88315B268195E916AF3A6D731EC45DB00
                                                                                              Function 0613F198 Relevance: .2, Instructions: 195COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 11964960695dd94b707ea299dbb8414f499c3b6cf08ddb287187184ac34efb6f
                                                                                              • Instruction ID: 311ab872ed60e8bef76eb3ccf0f813764f15a7412667fa4b298e647f7b9fe159
                                                                                              • Opcode Fuzzy Hash: 11964960695dd94b707ea299dbb8414f499c3b6cf08ddb287187184ac34efb6f
                                                                                              • Instruction Fuzzy Hash: 7B81D574E002198FDB54DB68C584A9EB7F2FF88220B15C559E819AB365DB70EC45CB90
                                                                                              Function 0613F17D Relevance: .2, Instructions: 181COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f78960c42f24744e98fb403b5a47f1e2b2012952f377c97cd253d2f36bbf9d65
                                                                                              • Instruction ID: 652cd474ccec341e99d60547791cfa6ebf61dc0147ffc7340d8c5373f04acc66
                                                                                              • Opcode Fuzzy Hash: f78960c42f24744e98fb403b5a47f1e2b2012952f377c97cd253d2f36bbf9d65
                                                                                              • Instruction Fuzzy Hash: 45710A78F012158FCB44DB68C594E9DB7F2EF88214B19C599E81AEB365DB30EC45CB90
                                                                                              Function 01629D40 Relevance: .2, Instructions: 179COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 26157e714649b22b08cd9bb3946d78a89b7694a35683848aa3ab735925b51183
                                                                                              • Instruction ID: b4d7d74b33debcb59bca5bad53d99732be13cba5e6604ad7c32d6d68133697a3
                                                                                              • Opcode Fuzzy Hash: 26157e714649b22b08cd9bb3946d78a89b7694a35683848aa3ab735925b51183
                                                                                              • Instruction Fuzzy Hash: BB714C31E009298FDB14CB5CC9809ADFBB2FF84304F59C569E81AAB656D734E881CF94
                                                                                              Function 0162B3D0 Relevance: .2, Instructions: 178COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c4ee44e51d34d758b1f218d693f647fab8b69c68d808e1ffad929479d3cbdf67
                                                                                              • Instruction ID: ba9f3b5f4d22717e1e93eeab6e95657f6d72c9b97b36ae558bcf54523a9d8673
                                                                                              • Opcode Fuzzy Hash: c4ee44e51d34d758b1f218d693f647fab8b69c68d808e1ffad929479d3cbdf67
                                                                                              • Instruction Fuzzy Hash: F261AC70A00A15CFC724CF68C848AA9BBB2FF45301F44C5A9E5599F2A2D731E845CF91
                                                                                              Function 06130006 Relevance: .2, Instructions: 175COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5f1d572698f459424fd6161f35d73451197e3a6892f9f0a36c8d0a54d38de37b
                                                                                              • Instruction ID: 9c50325e3c01f1b7d2ca20cb3053e1c4152b63a1f8fa0fe73ee7f66d9375ef8e
                                                                                              • Opcode Fuzzy Hash: 5f1d572698f459424fd6161f35d73451197e3a6892f9f0a36c8d0a54d38de37b
                                                                                              • Instruction Fuzzy Hash: 23813574A053698FCB65CF29C994AD9BBF2BF4A300F4441DAD44AAB361DB319E85CF40
                                                                                              Function 057A6818 Relevance: .2, Instructions: 169COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 58d5fb44618a3e376383c57217288cf3933a674e88fc74239d5a17df9c18b97f
                                                                                              • Instruction ID: 503c72e1791bf46aab1a10e962e1d8edf94b6f84f2c5bb99ddf32457ddd54ba1
                                                                                              • Opcode Fuzzy Hash: 58d5fb44618a3e376383c57217288cf3933a674e88fc74239d5a17df9c18b97f
                                                                                              • Instruction Fuzzy Hash: D55140353003019FD708EF29F894A6A77B7FBD56117908A2CE50A4B754CF74AC95DB90
                                                                                              Function 057A6828 Relevance: .2, Instructions: 166COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6c1bc47314ddfe46aaf8e6882d778682a8b33acdbf4b028a25db0289733a7768
                                                                                              • Instruction ID: ab8d37a97359fb03bf366de2f847e15b39ed40972cd466af6789640307110a4c
                                                                                              • Opcode Fuzzy Hash: 6c1bc47314ddfe46aaf8e6882d778682a8b33acdbf4b028a25db0289733a7768
                                                                                              • Instruction Fuzzy Hash: 44515F353003019FD708EF29F894A6A77B7FBD96117908A2CE50A4B794CF74AC95CBA0
                                                                                              Function 0162A6FE Relevance: .2, Instructions: 155COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 43ff25d908a48114517074a4b009559e2f9f418eac7720c13be974b0c4969022
                                                                                              • Instruction ID: 30c73e7a03368cf42bf53c7d77a9f152f81d623f65782adcd2a8183d93da224c
                                                                                              • Opcode Fuzzy Hash: 43ff25d908a48114517074a4b009559e2f9f418eac7720c13be974b0c4969022
                                                                                              • Instruction Fuzzy Hash: 0F513874601B118FC725DF68DA9062AB7F2FF84300B518A6CC1478BB95DBB8F8428F95
                                                                                              Function 057A88AE Relevance: .2, Instructions: 150COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b9b24dc31ced67f262899f3ceca233f4813c80897cfc98163cdf0b483d150716
                                                                                              • Instruction ID: df6dea19f0c1d2554bd4fb85b788b5b52ee1df501d68bde334f47f0515f5af14
                                                                                              • Opcode Fuzzy Hash: b9b24dc31ced67f262899f3ceca233f4813c80897cfc98163cdf0b483d150716
                                                                                              • Instruction Fuzzy Hash: 57516871A002158FE718DF29D898B6A7BF2FF84300F5485ACD54A9B390DB74AC45CBA1
                                                                                              Function 057A854C Relevance: .1, Instructions: 149COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a9067bac6a539991dc05586a2aba08a01f10b4cf763ed8c5e53ef9e02f2f0549
                                                                                              • Instruction ID: 25fec26b011ddc85c089a2b425b3b3643a770376212b25c6bc9d42e5acfc26e8
                                                                                              • Opcode Fuzzy Hash: a9067bac6a539991dc05586a2aba08a01f10b4cf763ed8c5e53ef9e02f2f0549
                                                                                              • Instruction Fuzzy Hash: C2517B71A00215CFDB24DF65C894BAEB7B2FF84300F1486A9E809AB351DB74AD85DF91
                                                                                              Function 057A5758 Relevance: .1, Instructions: 148COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c79819c85dd4ca972cf625f440ee4068b33a6ecf712a836a2fe220190b4e6525
                                                                                              • Instruction ID: af07342ed6732440d943fe2641859e25c1d6009bc61c7a0ed9a0d798d85bd5c8
                                                                                              • Opcode Fuzzy Hash: c79819c85dd4ca972cf625f440ee4068b33a6ecf712a836a2fe220190b4e6525
                                                                                              • Instruction Fuzzy Hash: E4516E712003059FCB09EF79EC84A6AB7A7FFD4211B50892DE5094B794CF74AC56DB90
                                                                                              Function 057A5752 Relevance: .1, Instructions: 147COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ccac597b26b60b6682af3f3eb099a07044b830a6dacd6e811f5f92e51dcb21a9
                                                                                              • Instruction ID: 42e6138f958b0d4ed799590eafe3a488f827ed238e6508162657a080c6d5f2b2
                                                                                              • Opcode Fuzzy Hash: ccac597b26b60b6682af3f3eb099a07044b830a6dacd6e811f5f92e51dcb21a9
                                                                                              • Instruction Fuzzy Hash: 3B518F712003059FCB09EF39EC84A6AB7A7FFD4211B50892DE5094B794CF74AC56DB90
                                                                                              Function 057A8170 Relevance: .1, Instructions: 145COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8624f2ba35ba963146aca7ec2fac929f8b1aaeef43fdd3ea730b3a3360bd4a39
                                                                                              • Instruction ID: 5aaf1aaed2909340946a3de032ec7b4a64001ab9d7ae5de940f23206d4846cfd
                                                                                              • Opcode Fuzzy Hash: 8624f2ba35ba963146aca7ec2fac929f8b1aaeef43fdd3ea730b3a3360bd4a39
                                                                                              • Instruction Fuzzy Hash: 6751AC71A002158FEB28DF28D854B2ABBF6FF84300F4485ADD4499B390DB75AD45CBA1
                                                                                              Function 057A6178 Relevance: .1, Instructions: 143COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 95c1faab4730b58ee410071586f8c9336854e82acad7b6b2b7e69c2f1eaf58f1
                                                                                              • Instruction ID: 001dee6b6895732f02c049e5d9b7743ea7dd9d3da62e996556deeed2924a66bd
                                                                                              • Opcode Fuzzy Hash: 95c1faab4730b58ee410071586f8c9336854e82acad7b6b2b7e69c2f1eaf58f1
                                                                                              • Instruction Fuzzy Hash: 5D514771A02304CFCB25CF68D158B5ABBF2FF88314F158668E846AB350DB35E946CB90
                                                                                              Function 01620840 Relevance: .1, Instructions: 140COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d1ab4977a42937f660214bef6095aed80d3224eeb179a33b9b238ddb5ef90ca4
                                                                                              • Instruction ID: e5815c598f2346a3255db249bcdc4a34209418896ee9becba7fe48341774526b
                                                                                              • Opcode Fuzzy Hash: d1ab4977a42937f660214bef6095aed80d3224eeb179a33b9b238ddb5ef90ca4
                                                                                              • Instruction Fuzzy Hash: 6441DB31E01A15CFCB11DFBDC9849AFBBB6EF85210B4584AAE45AD7212DB349805CF90
                                                                                              Function 016292B0 Relevance: .1, Instructions: 138COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5353256006a89c4badcf20e9920b964c17c1a810b296bb57aa92fe8639c47d0e
                                                                                              • Instruction ID: 6cc5473976ffb1f63b3981422ddcbcf44ae874e3c2aa1e3a2e02fc1e0ba37326
                                                                                              • Opcode Fuzzy Hash: 5353256006a89c4badcf20e9920b964c17c1a810b296bb57aa92fe8639c47d0e
                                                                                              • Instruction Fuzzy Hash: 9641C531605B618FC726CF29DC90526FBB5FFC5324718869ED05ACB692C331E886CB90
                                                                                              Function 0613DF68 Relevance: .1, Instructions: 134COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e91a85af82e95c42f5d90818377c3d77c9fd1ca452b2bb81d725d8648c5f46e9
                                                                                              • Instruction ID: 7b9ce330d2ad2edc4310aff08c66e034df37089a388305b11c74f81363ba4659
                                                                                              • Opcode Fuzzy Hash: e91a85af82e95c42f5d90818377c3d77c9fd1ca452b2bb81d725d8648c5f46e9
                                                                                              • Instruction Fuzzy Hash: A6413F70B102299BDB04DF69C854BAEBBF7EF8C301F148019E909A7395CF759C459BA4
                                                                                              Function 0613E2A1 Relevance: .1, Instructions: 126COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dc1d044122f188670a730c4ba359c0ed119052c987c75449ec81f44f476ab593
                                                                                              • Instruction ID: d00a45a630914ee19b2a4b89e00012f0e9b837967682285ea1629106f164a30b
                                                                                              • Opcode Fuzzy Hash: dc1d044122f188670a730c4ba359c0ed119052c987c75449ec81f44f476ab593
                                                                                              • Instruction Fuzzy Hash: F7414B75B002059FCB08DF68D994A6EBBF2FB88301B24856DD50ADB351CB31AC46CBA1
                                                                                              Function 057A8596 Relevance: .1, Instructions: 122COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 26d1cb215d0533736a592b2c56036be250b1e9cad53664954b62c70f01beeb8c
                                                                                              • Instruction ID: 4894e86c8fbe6a09a2491ca71181d772a0c86e3f92e90534bf15ed7d85395c6a
                                                                                              • Opcode Fuzzy Hash: 26d1cb215d0533736a592b2c56036be250b1e9cad53664954b62c70f01beeb8c
                                                                                              • Instruction Fuzzy Hash: 46512674A002158FDB24DF28D994B5ABBF2FF85304F4085A8E44A9B351DB74ED85CFA2
                                                                                              Function 057A6168 Relevance: .1, Instructions: 122COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c0b6663103aa6540fce7c03b13a1ab1ca6f8cbc23a3acb9db0c30d87e9bfb61f
                                                                                              • Instruction ID: a22fe88c91fb3cec6dc639eebf2c1491efa422fb1ce197e6e0d73d486a5645d7
                                                                                              • Opcode Fuzzy Hash: c0b6663103aa6540fce7c03b13a1ab1ca6f8cbc23a3acb9db0c30d87e9bfb61f
                                                                                              • Instruction Fuzzy Hash: 26514C75A02304CFCB15CF68D158A99BBF2FF45314F1586A8E846AB361DB31ED46CB50
                                                                                              Function 061389E0 Relevance: .1, Instructions: 122COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f8b80d51a1066f2aaee88553af2b826513e31999a3a9dae44599797127401f58
                                                                                              • Instruction ID: 2cd07b1c6543e0c2b4bce57ba9c002d5c79d16978d7a19b72b8f5a741b284090
                                                                                              • Opcode Fuzzy Hash: f8b80d51a1066f2aaee88553af2b826513e31999a3a9dae44599797127401f58
                                                                                              • Instruction Fuzzy Hash: 5C41AC713043519FD719CF29D484926BBF5FF85324B2885AEE58A8B362D731EC86CB90
                                                                                              Function 0162C3EA Relevance: .1, Instructions: 117COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 95e98352677053edbd7c2982f105bdc96339d574b73ea47c2f4686c8b61bbc00
                                                                                              • Instruction ID: 58738c7d7b42471b2ec1720935b9219e6541f9f45239b6058fbdd75007d83ad3
                                                                                              • Opcode Fuzzy Hash: 95e98352677053edbd7c2982f105bdc96339d574b73ea47c2f4686c8b61bbc00
                                                                                              • Instruction Fuzzy Hash: D741D4B9A016459FC711CF6CC880AABBBF5EF89320B248569E549DB351D731EC02CBA0
                                                                                              Function 016201C5 Relevance: .1, Instructions: 115COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: eb85ae78d99d227510f0b67606967c31b57db7c97b66e0aed987c5d3e33814e3
                                                                                              • Instruction ID: 15672b8cac8f21a47f7a8bb3e879f92cda1819e025db8771505f721326d693cc
                                                                                              • Opcode Fuzzy Hash: eb85ae78d99d227510f0b67606967c31b57db7c97b66e0aed987c5d3e33814e3
                                                                                              • Instruction Fuzzy Hash: 974181346067529FC712CF6CD885AAABFF1EF46320B15899BE059DB652C330E845CBA1
                                                                                              Function 057A65C8 Relevance: .1, Instructions: 114COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 12f1d38eaf4d886f75302b6bcebe01727b50e5cfc9787d23ccbeac7cb3cbc6b9
                                                                                              • Instruction ID: af94e5fe35edea8c728b4a85616f9ec119826230de42a485c822d1bb62197202
                                                                                              • Opcode Fuzzy Hash: 12f1d38eaf4d886f75302b6bcebe01727b50e5cfc9787d23ccbeac7cb3cbc6b9
                                                                                              • Instruction Fuzzy Hash: 46411936A002189FCB04DFA9E484EADBBF2BF88315F088199E905AB351CB34ED44DF51
                                                                                              Function 0162AFD8 Relevance: .1, Instructions: 114COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d0b16dbd014dbd5e0447d778ca03dcf32c0d4e9bf3dfe38f7b2d996995fce376
                                                                                              • Instruction ID: 9989de25f33d3b99cee49938b7dcdd24a0ec74fd8082d18c31f01b00b17c384d
                                                                                              • Opcode Fuzzy Hash: d0b16dbd014dbd5e0447d778ca03dcf32c0d4e9bf3dfe38f7b2d996995fce376
                                                                                              • Instruction Fuzzy Hash: 36418C31E006198FDB04DFA9E854AEDBBB1EF89304F248169D505AB350EB71AD46CF90
                                                                                              Function 01620040 Relevance: .1, Instructions: 113COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6246e703050b9577ed11cc1bdeed771b308796da77c4addf4a359aac2006eac2
                                                                                              • Instruction ID: b38bcd7919f55badd9269224fa56842edcec7ac11d0f28c7d13f88f810921386
                                                                                              • Opcode Fuzzy Hash: 6246e703050b9577ed11cc1bdeed771b308796da77c4addf4a359aac2006eac2
                                                                                              • Instruction Fuzzy Hash: 47411774E00618DFDB18CFA9D958B9EBBF2AF88310F10846DE515AB360CB75A805CF90
                                                                                              Function 06131656 Relevance: .1, Instructions: 112COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 60858e931f49250df2c4e4a42feadc2f2aea6f93d36fad611f4f4df48c51360d
                                                                                              • Instruction ID: 6db47954aeafebd08ae0a2f7da6ab192a27101565aa2c530b5523bb1a0f036bd
                                                                                              • Opcode Fuzzy Hash: 60858e931f49250df2c4e4a42feadc2f2aea6f93d36fad611f4f4df48c51360d
                                                                                              • Instruction Fuzzy Hash: 89519174A052299FDB60DB28C984B9ABBB1BF49300F1181D9E50DE7361DB35AE81DF50
                                                                                              Function 057A6A90 Relevance: .1, Instructions: 109COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8d41ca0cd7ed37f5ea65e64ab3e4004acc6d704ae6d2ac7b22216ce7c3bf9cd3
                                                                                              • Instruction ID: 7895514a756a67f9e04fdf084e405ba3dcf84431040698319ffc6c226c0dfe4d
                                                                                              • Opcode Fuzzy Hash: 8d41ca0cd7ed37f5ea65e64ab3e4004acc6d704ae6d2ac7b22216ce7c3bf9cd3
                                                                                              • Instruction Fuzzy Hash: 70316F703003055BD719EF39EC90A6BB7A7FBD0601794892DE54A4B798CF74AC0ADBA0
                                                                                              Function 06132900 Relevance: .1, Instructions: 106COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 42a337a95a39b31bfd10b68c3d81f049479765e6e51e6b32b9682785538df1a2
                                                                                              • Instruction ID: 765f66b565bce651de9a5d7e4aea70e25f77e954f40953fa208eb159d9ac1ec8
                                                                                              • Opcode Fuzzy Hash: 42a337a95a39b31bfd10b68c3d81f049479765e6e51e6b32b9682785538df1a2
                                                                                              • Instruction Fuzzy Hash: 0D316630B102289BDB08AF79C854BAEB6ABBF8C301F108019E506A7394CF749C45DBD0
                                                                                              Function 06130DC1 Relevance: .1, Instructions: 105COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e38769a43afce81bdce154b571bc3006659c908b449c362ad40c5c2c3cc04007
                                                                                              • Instruction ID: cc361f30fba64e5da8165bcd00e87274e501190dd7341966a6c35fabbb96f155
                                                                                              • Opcode Fuzzy Hash: e38769a43afce81bdce154b571bc3006659c908b449c362ad40c5c2c3cc04007
                                                                                              • Instruction Fuzzy Hash: E4418074A01219CFCB54EF64E888A9DB7B2FF98300F1081D8E44A9B355DB369D82DF41
                                                                                              Function 057A6AA0 Relevance: .1, Instructions: 104COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d41d03406cd47a26c9c6aaeec8504a3dd56a35284c955e3effc3641ef8c07a37
                                                                                              • Instruction ID: 8a6deeb2d0808190b31ac58d1bb16569bbc560c912efd560bd6457628f11d093
                                                                                              • Opcode Fuzzy Hash: d41d03406cd47a26c9c6aaeec8504a3dd56a35284c955e3effc3641ef8c07a37
                                                                                              • Instruction Fuzzy Hash: 2D3160703003055BD718EB39EC90A7BB7A7FBD46017948D2CA50A4B798CF74AC0ADB94
                                                                                              Function 0162D558 Relevance: .1, Instructions: 101COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bc0b2c7caa0c769352635d79eca4bf4c13c8c988f1df0346db12824493cfd3ba
                                                                                              • Instruction ID: 56ed9b73171d04d081b2306196dce2edf125ad90471c01e9e70a7a30db0380ca
                                                                                              • Opcode Fuzzy Hash: bc0b2c7caa0c769352635d79eca4bf4c13c8c988f1df0346db12824493cfd3ba
                                                                                              • Instruction Fuzzy Hash: 45411970A002298FCB15DFA8C954A9EBBB2FF49305F15C5A9D409AB352D731EC46CFA1
                                                                                              Function 06132D58 Relevance: .1, Instructions: 100COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d60b5222205d75ab0d6011767df0b8d9e7188d5d49f91c895df27e4d64379af2
                                                                                              • Instruction ID: a8cf40bea6d7200f0fa72df0719d89b7c963db3eb92b5d01d60d2519127db90f
                                                                                              • Opcode Fuzzy Hash: d60b5222205d75ab0d6011767df0b8d9e7188d5d49f91c895df27e4d64379af2
                                                                                              • Instruction Fuzzy Hash: DB41BF30600B159FC714EF39D48466ABBB2FF84301F00CA2ED84A8B750DB35A965CB91
                                                                                              Function 06132D68 Relevance: .1, Instructions: 98COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 479b1545f3d1d4a32d51d6e332f3bae8e3fc0cc3d7212d34c2c88d4a62f21a40
                                                                                              • Instruction ID: 05dce2fa37ffd36ff1111e46ea232e1a264c99f17a8e42f6231f8422db2874cc
                                                                                              • Opcode Fuzzy Hash: 479b1545f3d1d4a32d51d6e332f3bae8e3fc0cc3d7212d34c2c88d4a62f21a40
                                                                                              • Instruction Fuzzy Hash: 4A41AE30600B559FC705EF39D884A6ABBB2FF94301F00CA2DD54A8B740DB35A965CBD1
                                                                                              Function 061353D4 Relevance: .1, Instructions: 98COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 13a681dbabacaa8b7075d49e546ac421aaf46963f40311e2f5a860cf9654e2bc
                                                                                              • Instruction ID: d27b1592c7551a64d279bed4d1bb037ad43500feac21aaa4f58093724988837b
                                                                                              • Opcode Fuzzy Hash: 13a681dbabacaa8b7075d49e546ac421aaf46963f40311e2f5a860cf9654e2bc
                                                                                              • Instruction Fuzzy Hash: 314115B0D003499FDB54DFA9C880ADEBFF6EF48710F148429E80AAB250DB34A945CB91
                                                                                              Function 057A8741 Relevance: .1, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0478415d6970ae44def9742f3befcd4368e122875dbe2d313e918f6886088824
                                                                                              • Instruction ID: 7fe6d888c4635c02680d61985116434f8d1ec2088e796520dd94d55c9cef13e8
                                                                                              • Opcode Fuzzy Hash: 0478415d6970ae44def9742f3befcd4368e122875dbe2d313e918f6886088824
                                                                                              • Instruction Fuzzy Hash: 85415671A00229CFDB14CFA4D988B9EBBB2FF88300F508599D409AB254DF70AD86DF51
                                                                                              Function 0613C0E0 Relevance: .1, Instructions: 97COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 453077f79108e3b25030f8f5c2f022e02d6ba3e48daad65e583cf4307a63ba3c
                                                                                              • Instruction ID: 74591c8225b1818d82f1fc0fbcb157cd351efcc78f8bb38df7dafea7d6368ed4
                                                                                              • Opcode Fuzzy Hash: 453077f79108e3b25030f8f5c2f022e02d6ba3e48daad65e583cf4307a63ba3c
                                                                                              • Instruction Fuzzy Hash: 1831A830A01214DFD308DF69E9A8A29BBF2FF45302F4485AAD419AF721DB759D84DB80
                                                                                              Function 06134910 Relevance: .1, Instructions: 95COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 37abe76ecfc97e3d88fe2debaa4c0e58c135340f711b21716d6f3335cfa35f2e
                                                                                              • Instruction ID: 51250a217f860ebf3965b4c4ee90a68c605fb5c61f905b699e830adf86d9010f
                                                                                              • Opcode Fuzzy Hash: 37abe76ecfc97e3d88fe2debaa4c0e58c135340f711b21716d6f3335cfa35f2e
                                                                                              • Instruction Fuzzy Hash: B3315634B00224CFDB58EF78D5586AE7BF6EF89305B1144A8D406DB3A1DB369D41CB91
                                                                                              Function 057A3C88 Relevance: .1, Instructions: 94COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f3f59537e93afe1bc55bde64b34b73582bddfe77bd1e58ee60f57e317c59e696
                                                                                              • Instruction ID: 53b16cf098e92800f70ea88eb08b5596164dcd1a274062910b5cdd61313bda3d
                                                                                              • Opcode Fuzzy Hash: f3f59537e93afe1bc55bde64b34b73582bddfe77bd1e58ee60f57e317c59e696
                                                                                              • Instruction Fuzzy Hash: 4B311C75B002149FD7049F29D998A6DBBF6AF88610F158059E506DB3A1CA71AC048B50
                                                                                              Function 01623E6F Relevance: .1, Instructions: 94COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 36030583469d0526f9e3a0786972ad556a6b14f54073dc888ee954e3f7ac1e6f
                                                                                              • Instruction ID: b724e26e3d68575ed500e5aba02ee6fbc9ae49430340bfa7b295ca0e38789bbe
                                                                                              • Opcode Fuzzy Hash: 36030583469d0526f9e3a0786972ad556a6b14f54073dc888ee954e3f7ac1e6f
                                                                                              • Instruction Fuzzy Hash: B4315A74B006158FDB04DFA8D858A6DBBB2FF88340F158099E805AB365CB35EC86CF91
                                                                                              Function 0613B2F8 Relevance: .1, Instructions: 94COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7afe43e55d6708fb7e2f47f75df331d29d108ad34621912ae744aca346325118
                                                                                              • Instruction ID: 4bb3a273969809b02b48de89ed65a543b33019455a3e9fbae76e1a0f4a7374dd
                                                                                              • Opcode Fuzzy Hash: 7afe43e55d6708fb7e2f47f75df331d29d108ad34621912ae744aca346325118
                                                                                              • Instruction Fuzzy Hash: A4317C34B102159FC708EF78D89892EBBB2FBC8211B908429E406CB355DF35EC46CBA0
                                                                                              Function 057A64C0 Relevance: .1, Instructions: 92COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2f7fa4e3647dcd4a9a97e59d555c8dafc67d29202c062ad524881d438b095ac7
                                                                                              • Instruction ID: 9038c1f090f4075da994edc73e1ec47206edcbc68f0e9ea0fec1dee04f972b93
                                                                                              • Opcode Fuzzy Hash: 2f7fa4e3647dcd4a9a97e59d555c8dafc67d29202c062ad524881d438b095ac7
                                                                                              • Instruction Fuzzy Hash: 0C311775E012189FCB04DFA9E894AADBBF2BF88311F148569E405AB350DB34ED45DFA0
                                                                                              Function 01624D58 Relevance: .1, Instructions: 92COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c90f19c7dc96f8fa8a3bd5be12116ab73c1f9fd55d9793c12088f223c46146d8
                                                                                              • Instruction ID: 9c195fa722c592ed45c73adf81e3eafd600b03fcbe6e050e239b2668911ea43a
                                                                                              • Opcode Fuzzy Hash: c90f19c7dc96f8fa8a3bd5be12116ab73c1f9fd55d9793c12088f223c46146d8
                                                                                              • Instruction Fuzzy Hash: 7831B436F0052A8BDB24DEACDC905EEB7B1EF84321F10852AE926A7381C7709905CF90
                                                                                              Function 01621366 Relevance: .1, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 11e221b95b97c2b6bfdc0a4317888ff6986273596eb92466e7a91615ff3a3684
                                                                                              • Instruction ID: 910523e72ba0926a4ad9cf2d7ef8bf2f9ad406fba1d862a3b67b81162d41a89c
                                                                                              • Opcode Fuzzy Hash: 11e221b95b97c2b6bfdc0a4317888ff6986273596eb92466e7a91615ff3a3684
                                                                                              • Instruction Fuzzy Hash: D531F1703003564FCB15EFACDC9096E7BE6EF99201700496EE14ACF386DB60AC49C7A1
                                                                                              Function 01624D68 Relevance: .1, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 657584e15d7f93d9b95341ed54df695979c3feb03bbe626d3d7b0e1d018458b3
                                                                                              • Instruction ID: bd21997021b88bcf26eaab9eb67e12d1b75e1105eb17f447715cf39df66a8e8c
                                                                                              • Opcode Fuzzy Hash: 657584e15d7f93d9b95341ed54df695979c3feb03bbe626d3d7b0e1d018458b3
                                                                                              • Instruction Fuzzy Hash: 223122343097A05FC71A8B3DD8189993FA5AF8A61072901EEE40ACF363DB21DC01CBE1
                                                                                              Function 01626ED8 Relevance: .1, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 055b546c26ba49167ad733b6c3762ced9bf5ced1617cce84be3dc0d53b894a20
                                                                                              • Instruction ID: bb16f8bf49769654c777e7164fcfc7d044cfb1f2e385cb39c0a464f7ee3a8bce
                                                                                              • Opcode Fuzzy Hash: 055b546c26ba49167ad733b6c3762ced9bf5ced1617cce84be3dc0d53b894a20
                                                                                              • Instruction Fuzzy Hash: 62318B713003118FC715EB69E840A5AB7E6FF84316B10CA2EE15E8B755DF72E846CB90
                                                                                              Function 0613D8F8 Relevance: .1, Instructions: 91COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 908f9ca80fce2e877214fdd2ddfd3d7fbbd23fcdf3cf3d1667f3e0f582547e66
                                                                                              • Instruction ID: 79dc8190a150b86607f065bf6dc0f8c4d3f0402412002fd39d11b8700f8e4f03
                                                                                              • Opcode Fuzzy Hash: 908f9ca80fce2e877214fdd2ddfd3d7fbbd23fcdf3cf3d1667f3e0f582547e66
                                                                                              • Instruction Fuzzy Hash: 2A318D32B05116DFCB14DFA9E8506AFBBEAFF88214F14803AE15AD3245DB349949C7A1
                                                                                              Function 061347C2 Relevance: .1, Instructions: 90COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3044876b26f5985fa99f7ed06b5b4bad0526196961942c289e256cc9640c64d3
                                                                                              • Instruction ID: 4ddc5b84a8434d0ff2f84b90b7e4e67798a02923888dc835534241f3fedb65dc
                                                                                              • Opcode Fuzzy Hash: 3044876b26f5985fa99f7ed06b5b4bad0526196961942c289e256cc9640c64d3
                                                                                              • Instruction Fuzzy Hash: 03315734240A50DBD399EB34EA50B1A37A2FBC5600F604269E527CB3A0DF35AC46DB85
                                                                                              Function 061353E0 Relevance: .1, Instructions: 90COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6857ca6a10235aabcce81708e0b02b2f7dba234851423cdc0a9a4f455d187c23
                                                                                              • Instruction ID: d0953fcc82a7d1f432d5866525040d5cd8b489b0258cb388f9e8d18ddbbd602f
                                                                                              • Opcode Fuzzy Hash: 6857ca6a10235aabcce81708e0b02b2f7dba234851423cdc0a9a4f455d187c23
                                                                                              • Instruction Fuzzy Hash: 7F41D0B0D003499FDB14DFA9C884ADEBFF6FF48310F108429E81AAB250DB75A945CB90
                                                                                              Function 06134900 Relevance: .1, Instructions: 90COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 301dc94ecb70e9dc10c7ed1e1a8cf3d8df366a4d693c05abdd0beb27acc92401
                                                                                              • Instruction ID: 1def23f23d7449d5b040ee234f0deb53c0ecde21d75e0fd2b4bec59141039194
                                                                                              • Opcode Fuzzy Hash: 301dc94ecb70e9dc10c7ed1e1a8cf3d8df366a4d693c05abdd0beb27acc92401
                                                                                              • Instruction Fuzzy Hash: 7331A631B04220CFDB54EF38D918AA9BBF1EF89315F5144A8D402DB3A2EB369C01CB90
                                                                                              Function 0162D548 Relevance: .1, Instructions: 88COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b359c9bff79de2bdefb49dc05d7d72c5acf4e0fa1b52fd16b9d612cd53c019d0
                                                                                              • Instruction ID: c798a98c5210037b226365079984934b11d46e6e8bbd0213f1f9fd164d92cf43
                                                                                              • Opcode Fuzzy Hash: b359c9bff79de2bdefb49dc05d7d72c5acf4e0fa1b52fd16b9d612cd53c019d0
                                                                                              • Instruction Fuzzy Hash: 4231A574A006299FDB14DFA8C984AAEBBF1FF88305F148559D409AB315D731A942CFA0
                                                                                              Function 057AE1A0 Relevance: .1, Instructions: 87COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 197e04515bbfe7f430a659540d771dd8c69a1bbd9300fbfed45f8f5dab8c7263
                                                                                              • Instruction ID: 6dae849effa32070370f76ae0402706fc5e5cbdb2c882865915a586efa809755
                                                                                              • Opcode Fuzzy Hash: 197e04515bbfe7f430a659540d771dd8c69a1bbd9300fbfed45f8f5dab8c7263
                                                                                              • Instruction Fuzzy Hash: FC41D376D0539A8FCB11CFA8C880ACCBBF1AF59314F15425AE848B7211D670AA49CF65
                                                                                              Function 057A9D81 Relevance: .1, Instructions: 85COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 12b134c312efaf14f434d1ef63348fedc242fe450b615f912f48b3788d1a6790
                                                                                              • Instruction ID: b7c57a92f3b71a2d936f8eee8ce8d7de4ac97c10feb4138b3983e8976b83bff0
                                                                                              • Opcode Fuzzy Hash: 12b134c312efaf14f434d1ef63348fedc242fe450b615f912f48b3788d1a6790
                                                                                              • Instruction Fuzzy Hash: D7312735A002199FCB18DFA8D494AADB7F2FF88210F108569E50AEB360DA309C81CF91
                                                                                              Function 01621378 Relevance: .1, Instructions: 85COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 04fac13361ee75c5a9381b7e52cc1e4a1253b92b6382230b4e160e0b33d11c80
                                                                                              • Instruction ID: deef464bebfeab79684d0c26293bac4ee3cc74599af564f325d4056ca0a95004
                                                                                              • Opcode Fuzzy Hash: 04fac13361ee75c5a9381b7e52cc1e4a1253b92b6382230b4e160e0b33d11c80
                                                                                              • Instruction Fuzzy Hash: 95218FB03003165FCB14EF6DEC90A6E7BE6EF98201700892DE54ACB785DB71AD49C7A5
                                                                                              Function 01628568 Relevance: .1, Instructions: 85COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4705ee78b85ae316086fddc5a7909ce617dd85d5b7490fc434c0a2de7b9929d0
                                                                                              • Instruction ID: 2c1396265734df55813e5a95a5905629669e0e965924fa9a6e64d138ab68eff5
                                                                                              • Opcode Fuzzy Hash: 4705ee78b85ae316086fddc5a7909ce617dd85d5b7490fc434c0a2de7b9929d0
                                                                                              • Instruction Fuzzy Hash: F3318F35604B608FC335CF69C854A16BBF6FF95315B148A5EE58A877A1C730E806CB90
                                                                                              Function 01624E37 Relevance: .1, Instructions: 84COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b92c502a02cd7e4f39fff24179fc1980a2a85e86a2dadc445707f4c1c10b616e
                                                                                              • Instruction ID: ecb03fd829fe4105177bd1528cd7733522a03058ab181665a4b3523d8f5a64a4
                                                                                              • Opcode Fuzzy Hash: b92c502a02cd7e4f39fff24179fc1980a2a85e86a2dadc445707f4c1c10b616e
                                                                                              • Instruction Fuzzy Hash: 0B2132709083A08FDB129B3D98516AABFF0EF96305F04049ED1889F292EB754949CB91
                                                                                              Function 057A3809 Relevance: .1, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 233315f8732bbe0cfbc4fc2c6b353e164316b99390c4faa96e945784bb0bcd3e
                                                                                              • Instruction ID: 08c7a494af5f294ccdca0cec99f8e27efa1ea9df0747d1f5d2fea98bca45a287
                                                                                              • Opcode Fuzzy Hash: 233315f8732bbe0cfbc4fc2c6b353e164316b99390c4faa96e945784bb0bcd3e
                                                                                              • Instruction Fuzzy Hash: 2E31A272E1075A9BCB04CFA4C88459DFBF2FF89304F14462AD405BB354EBB0A986CB91
                                                                                              Function 01626700 Relevance: .1, Instructions: 82COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 96d1ab9b1cc8843c51e2e29636eeb9760c34f034fc5533f74330b2afb23087a9
                                                                                              • Instruction ID: f47f1098dffc0652e4c9fa43959971a0f8d473d4ddf384f7bc61a5be7ba92878
                                                                                              • Opcode Fuzzy Hash: 96d1ab9b1cc8843c51e2e29636eeb9760c34f034fc5533f74330b2afb23087a9
                                                                                              • Instruction Fuzzy Hash: 9721B1757052449FCB01CB69D88095AFFE6EF86261704C19AE848CB766EB30EC058BE1
                                                                                              Function 057A3818 Relevance: .1, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1e08d3aca544573bfa878fac40efb04e6f26036ff1786dce820fa91dc1dc6947
                                                                                              • Instruction ID: d2ff62a82f730ebd8e358804c99ac6100fec57c95e5054ac599dcff53f816ad1
                                                                                              • Opcode Fuzzy Hash: 1e08d3aca544573bfa878fac40efb04e6f26036ff1786dce820fa91dc1dc6947
                                                                                              • Instruction Fuzzy Hash: B9317171E1035A9BCB14CFA5C84499EFBF2BF89304F15462AD405BB344EBB0A885CB91
                                                                                              Function 01629428 Relevance: .1, Instructions: 81COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 99a6b32b2154fbc59167e95262440d3ee5e1fda9e338c9c21beaee66f9bab211
                                                                                              • Instruction ID: fe612a309f0116e78bb097fe823696daa6daae7ed9f879e89b2c9aaf5c921f7e
                                                                                              • Opcode Fuzzy Hash: 99a6b32b2154fbc59167e95262440d3ee5e1fda9e338c9c21beaee66f9bab211
                                                                                              • Instruction Fuzzy Hash: 1C314F75A01A259FCB24CF6AC95099EBBF2BFCC314F148529E946A7750DB31E900CF50
                                                                                              Function 06138090 Relevance: .1, Instructions: 79COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 361133910b00793fbfeafab206f7b70716534cf53227a1604ba0b6705b6873fa
                                                                                              • Instruction ID: ec7807bfcb986cf9c3668f8251b574ce464d302631100a205949f20603531c8f
                                                                                              • Opcode Fuzzy Hash: 361133910b00793fbfeafab206f7b70716534cf53227a1604ba0b6705b6873fa
                                                                                              • Instruction Fuzzy Hash: 59218B30B01215CFDB98ABB9E4086AE77F2EB84304F104869E406EB394DB7ADD41CB91
                                                                                              Function 061381F8 Relevance: .1, Instructions: 79COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d2bce2657ace77983c4d996695e5b34793aeec55e611ef3761ea6f665cd11882
                                                                                              • Instruction ID: 04f3423599b2bed11501933b7383a94a024b6fdc293cbd4d19c97914c120a54a
                                                                                              • Opcode Fuzzy Hash: d2bce2657ace77983c4d996695e5b34793aeec55e611ef3761ea6f665cd11882
                                                                                              • Instruction Fuzzy Hash: BD2187367046209BD7888B3BA991B7B77A7F7C5610F18856AF906C7790CB39DC06C3A1
                                                                                              Function 016FD0F4 Relevance: .1, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3089437593.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_16fd000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3a79a5d2173cc63590c1db253f7b6150e865b6a78e50597f213edad282b003c7
                                                                                              • Instruction ID: 4f6424313a7e6970e93abecf75f88dfb3dd0d91bbfae7a1edaae4a500ec07cf6
                                                                                              • Opcode Fuzzy Hash: 3a79a5d2173cc63590c1db253f7b6150e865b6a78e50597f213edad282b003c7
                                                                                              • Instruction Fuzzy Hash: CD21B272504244EFDB06DF58DDC4B26BBA6FB88315F24866DEA090A356C33AE416CB61
                                                                                              Function 0162B5F8 Relevance: .1, Instructions: 77COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 76846d312fb125a68135a8a62b45cd41b1c9633558e33ef2b11bcfc922666256
                                                                                              • Instruction ID: 6c9c53529514b9a781751585e74ab94e219fc29de020f4f840cc042b74c32cc3
                                                                                              • Opcode Fuzzy Hash: 76846d312fb125a68135a8a62b45cd41b1c9633558e33ef2b11bcfc922666256
                                                                                              • Instruction Fuzzy Hash: C021B2B2E0466A9BCF049F69EC044DEBB71FF86310706456AD9097B312DB316955CBE0
                                                                                              Function 01627140 Relevance: .1, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a0248de36f0f343f4cbebef2d5eeb7ea64ca6e728d526df29d746c19e5190f02
                                                                                              • Instruction ID: a9d0f30c5d892e7010dc5db5d81f8ec864c6d346ae465e9e38bacc260b23102f
                                                                                              • Opcode Fuzzy Hash: a0248de36f0f343f4cbebef2d5eeb7ea64ca6e728d526df29d746c19e5190f02
                                                                                              • Instruction Fuzzy Hash: D211C0719087955FC7068B60CC1586B7F62FFB321171888AFC50A9F293D9254C07CBE6
                                                                                              Function 01621647 Relevance: .1, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 186c2d29d9d58fec63041da25ff5f8e5ac8e09059e17e800108003aa4cac3a55
                                                                                              • Instruction ID: 0f5912f1c9747f21e948a2b8207f5f2647a16ed96accaab9ce3215a5620a982b
                                                                                              • Opcode Fuzzy Hash: 186c2d29d9d58fec63041da25ff5f8e5ac8e09059e17e800108003aa4cac3a55
                                                                                              • Instruction Fuzzy Hash: D7217CB53146108FC755EF38D89492E7BE3EFD421271489AEE40ACB365DE30AC46CB95
                                                                                              Function 0613C370 Relevance: .1, Instructions: 76COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6c4304b3f808e3738d6e0a0ed04e7b145bb39406c544f8c3b9e709e84380fcb2
                                                                                              • Instruction ID: be44cd1916be9c72ed6d94c6876f5c8e64776f7add353dc3ee9307456af3c452
                                                                                              • Opcode Fuzzy Hash: 6c4304b3f808e3738d6e0a0ed04e7b145bb39406c544f8c3b9e709e84380fcb2
                                                                                              • Instruction Fuzzy Hash: 2A21AEB07151249FD7498F78A89823EBEEBBBC8210B59885AE00BD7340DF75881387E1
                                                                                              Function 01625CD8 Relevance: .1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7ac23c8413b4a631a97245ca09126690a38d106520caa8bb9f38e6db41172544
                                                                                              • Instruction ID: 657d54518e6f5a0ec29b1788a5cac9cd454b1e141f4eb81636c9e993576fa63a
                                                                                              • Opcode Fuzzy Hash: 7ac23c8413b4a631a97245ca09126690a38d106520caa8bb9f38e6db41172544
                                                                                              • Instruction Fuzzy Hash: FF1100367059A14FC315933D881486E3BD3AFC6A5135941BDE606CB7A1CD28CC02C7E9
                                                                                              Function 0613DE90 Relevance: .1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e574d175e35ebee1707aa74d4332d2900ec6f82f43c861d6b73e39dd9c1b2f8e
                                                                                              • Instruction ID: c6f2b820082baae5c50a6c84b0398c1772a94394395aea0c9727e9c7c1352bdd
                                                                                              • Opcode Fuzzy Hash: e574d175e35ebee1707aa74d4332d2900ec6f82f43c861d6b73e39dd9c1b2f8e
                                                                                              • Instruction Fuzzy Hash: DC21C277B051048FCB15CBA8E4405EAFBB6EF99210B14803FD65AC7645DA31591AC761
                                                                                              Function 0613DDB1 Relevance: .1, Instructions: 73COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0fc10a03d443daee8facf7ce1e0fcb8e4905fd4a3e84f5116c3154d0a4aa75c2
                                                                                              • Instruction ID: be57f46603ee39071d637ce86888c1e3ae64a0100d16cec9b17ae309e70b9e79
                                                                                              • Opcode Fuzzy Hash: 0fc10a03d443daee8facf7ce1e0fcb8e4905fd4a3e84f5116c3154d0a4aa75c2
                                                                                              • Instruction Fuzzy Hash: 4B313876E0175ACBCB01DFA8D5404DDFBB1FF99200B14C756E824A7304EB70AA95CB90
                                                                                              Function 0170D478 Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3089603505.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_170d000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0cfecef3f8cb4ded5fad2d415c8db84507c4342d21c3a9b01409b175a420d9e9
                                                                                              • Instruction ID: 2153c5c288e64e06dbdd12f45bc1ad080afeca5ef978921456b97d32e5157c53
                                                                                              • Opcode Fuzzy Hash: 0cfecef3f8cb4ded5fad2d415c8db84507c4342d21c3a9b01409b175a420d9e9
                                                                                              • Instruction Fuzzy Hash: 2021D375604300DFDB16DF98D5C4B25FBA5EB84318F24C5ADEC0A4B296D377D406CA61
                                                                                              Function 0613C380 Relevance: .1, Instructions: 72COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f987266aa8969cac894886620ce68c367430e5760397da2ae227ebc7618411df
                                                                                              • Instruction ID: a071576bbd6196d57611f14b617e1873db9e8fb752bfde76224ce15e0e47c74f
                                                                                              • Opcode Fuzzy Hash: f987266aa8969cac894886620ce68c367430e5760397da2ae227ebc7618411df
                                                                                              • Instruction Fuzzy Hash: 99117CB07151289FD7489F79989863EBAEBBBC8210B95881AE00BD7340DF758C1287F1
                                                                                              Function 057A0FD8 Relevance: .1, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3cb44389a18404689aa6b9db2df51532fe8e1a6ce0e5055e3de0ae2e785c5d00
                                                                                              • Instruction ID: a68ca1a8a5a51a8f4360f4cf725db69573c7b7761a2e33b74f72ff8d6b3925a4
                                                                                              • Opcode Fuzzy Hash: 3cb44389a18404689aa6b9db2df51532fe8e1a6ce0e5055e3de0ae2e785c5d00
                                                                                              • Instruction Fuzzy Hash: B811C971340B009BCB0AA66DB864ABBBEA2FB986107804475F21C8F354DF665D6597D0
                                                                                              Function 01624134 Relevance: .1, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 126545ccd8bed6b6ede18e1663421dbd6ab27e6c5ae6ac688cded807a3308681
                                                                                              • Instruction ID: f0ad16a432e8342ff519508b9aa4c222af60923c9de2281bd716849fcbc5bfb0
                                                                                              • Opcode Fuzzy Hash: 126545ccd8bed6b6ede18e1663421dbd6ab27e6c5ae6ac688cded807a3308681
                                                                                              • Instruction Fuzzy Hash: D421A679B002188FCB05DFA8C484D9DBBF2FF89310B158195E805AB366DB75EC86CB91
                                                                                              Function 01624310 Relevance: .1, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 12e7282a8d817cb37b5147a71bd9dda11306fc59b8e146a6da85706c44274dd9
                                                                                              • Instruction ID: d4bddf92b4b2cbe1313ad943bd1ce9c8810e6aee3cc4eed9c0a03669c1fb3a52
                                                                                              • Opcode Fuzzy Hash: 12e7282a8d817cb37b5147a71bd9dda11306fc59b8e146a6da85706c44274dd9
                                                                                              • Instruction Fuzzy Hash: 91212775B011198FCB04DFA8D994AEEBBF1EF88200F2085A9D509EB341EB359D42CF91
                                                                                              Function 0162DAB8 Relevance: .1, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3ed4b5c5686f5316307004f27e9f1cbad49ec3d5afd87fd6c0b1464ffc3f102d
                                                                                              • Instruction ID: ef634952a16dad11f542604084170b31a2a1348f4f26a6be2be661cacc39cfed
                                                                                              • Opcode Fuzzy Hash: 3ed4b5c5686f5316307004f27e9f1cbad49ec3d5afd87fd6c0b1464ffc3f102d
                                                                                              • Instruction Fuzzy Hash: 822190B4B006298BDB18CF59C594AAEBFF6AF88311F188169D402DB351CB74E941CF90
                                                                                              Function 061328F0 Relevance: .1, Instructions: 70COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0b6a3fbd311e64bfb470a9e9256c071d2d2d0a2eda76892d2be95762b7bfa372
                                                                                              • Instruction ID: e5e137ff81e92300507e092ca4fa51ecb0a26660875b17e3dfa14de1bc07bbba
                                                                                              • Opcode Fuzzy Hash: 0b6a3fbd311e64bfb470a9e9256c071d2d2d0a2eda76892d2be95762b7bfa372
                                                                                              • Instruction Fuzzy Hash: B2214130A10219DBDB18AF69D854BDEB7F6BF88301F108029E916A7394CF759945CB90
                                                                                              Function 0162B2D2 Relevance: .1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 02ac958a34da444b3261a4a98f99167b153d5ed22885d00121566eb346f2f950
                                                                                              • Instruction ID: 388d91db22bced5289408b45a9293bfeef53898c8a0daa5bd7e7cbefd7979068
                                                                                              • Opcode Fuzzy Hash: 02ac958a34da444b3261a4a98f99167b153d5ed22885d00121566eb346f2f950
                                                                                              • Instruction Fuzzy Hash: D4218C75A006249FCB10CF68D88099EBBF1EF8C320B24816AE915EB395D731AC01CFA1
                                                                                              Function 0613DDC0 Relevance: .1, Instructions: 69COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b56b39315df30fbfb23e63c7b5aa5e1e0d89c113b192c58084465bfb3c4daf76
                                                                                              • Instruction ID: 341756a62de39e65165bcb58752d106523f25595a284c92c5e3ed94caf571c19
                                                                                              • Opcode Fuzzy Hash: b56b39315df30fbfb23e63c7b5aa5e1e0d89c113b192c58084465bfb3c4daf76
                                                                                              • Instruction Fuzzy Hash: B131F275E0175ACBCB01DFA8D5804DDFBB1FF99200B14C796E858A7205EBB0AA95CB90
                                                                                              Function 01621578 Relevance: .1, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 93d37190d466df563ac5193c1d68306f6e1a17750c7738f6ea66ac289870493a
                                                                                              • Instruction ID: 9babc00a5555a81a5bdeffd5da8fd42ebec6f6f2c6bcafa30ee1582cbbf2fa10
                                                                                              • Opcode Fuzzy Hash: 93d37190d466df563ac5193c1d68306f6e1a17750c7738f6ea66ac289870493a
                                                                                              • Instruction Fuzzy Hash: BB11B235B045214FDB68ABB999502FE77E7AFC5700F288429C51AD77A4EF309C038B92
                                                                                              Function 01621792 Relevance: .1, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 22683a7c9372b2c3648d05f45e5e7e217d3abfb3d6d57d425f50235c42046b15
                                                                                              • Instruction ID: abc9849b649b53e6fb5e85bfb1c2064dc58ac64d1076ee8992f355ccbae5a5b8
                                                                                              • Opcode Fuzzy Hash: 22683a7c9372b2c3648d05f45e5e7e217d3abfb3d6d57d425f50235c42046b15
                                                                                              • Instruction Fuzzy Hash: 59212C75D0578E8FCB01CFA8C4404CDBFF1AF9A310F254656E858BB251D7706A59CB61
                                                                                              Function 06133A10 Relevance: .1, Instructions: 68COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bedb98803dbc85de7425de67170cf42125570af9a3b9c7ea69016e0b4aa67e0a
                                                                                              • Instruction ID: 733565bf2cbf5f5a60e25a418e3c12c5ee16acdacee8f98bbe4b246d33419d10
                                                                                              • Opcode Fuzzy Hash: bedb98803dbc85de7425de67170cf42125570af9a3b9c7ea69016e0b4aa67e0a
                                                                                              • Instruction Fuzzy Hash: EE213A35A10258AFCB14CF25C844A5A7BB6FF89751F14C569E81ACB360DB31ED42DF90
                                                                                              Function 0162C120 Relevance: .1, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1708ded33876336763e8a3b1a678095a2af677791d2ef39324e90d00d32f590d
                                                                                              • Instruction ID: 30ff6328b7496fe9365a5b438e71510f02abfcc58819dfe043343b935c509fc1
                                                                                              • Opcode Fuzzy Hash: 1708ded33876336763e8a3b1a678095a2af677791d2ef39324e90d00d32f590d
                                                                                              • Instruction Fuzzy Hash: B521CF31601B21CFD325CF28C818B19BBB1BF01312F6585A9E4259BBA2C731EC81CF90
                                                                                              Function 0613BCD0 Relevance: .1, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7eac031591916baf7bcb036e05366b1b45eee6221515392217146624e74bfc86
                                                                                              • Instruction ID: 09711f7d01f8e369ee65836c98f1d997b7c4708a17331e7e19528114cf7ed4db
                                                                                              • Opcode Fuzzy Hash: 7eac031591916baf7bcb036e05366b1b45eee6221515392217146624e74bfc86
                                                                                              • Instruction Fuzzy Hash: 26112935B043214FC755EB7DE85466E7BEAEFD0125704416AD00ACF394EF389C458790
                                                                                              Function 06133A00 Relevance: .1, Instructions: 67COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 090ed1f03de6becb6238a1d4620a8a9d62b5f9d832c45b7fbdc570fb8451ecb7
                                                                                              • Instruction ID: d60414ce056b54de260115bbc9b7a921556ed9ffe98b2afeece41e9d443bbff6
                                                                                              • Opcode Fuzzy Hash: 090ed1f03de6becb6238a1d4620a8a9d62b5f9d832c45b7fbdc570fb8451ecb7
                                                                                              • Instruction Fuzzy Hash: DF213A35A10248AFCB14CF25C844B5A7BF6EB85750F14C569E81ACB290DB35ED42CF94
                                                                                              Function 0613DF59 Relevance: .1, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6c096ee9e79a91e58ea8a26a78b91bf5b6a4bcdbd6bd157e905858524031d118
                                                                                              • Instruction ID: 2965b74e2365fa603aa3e9503511ab532d85122b874df3c5cfb4432125939c1c
                                                                                              • Opcode Fuzzy Hash: 6c096ee9e79a91e58ea8a26a78b91bf5b6a4bcdbd6bd157e905858524031d118
                                                                                              • Instruction Fuzzy Hash: 15214D71A002199BDB08DF69C85479EBBF6EF8C310F14C129E519A7354DB71AC41CBA4
                                                                                              Function 0613D9F1 Relevance: .1, Instructions: 65COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 499367571ef2794dad0ca9ff2712c66b5363d526a9713fb1dbb7bafebb4d39e6
                                                                                              • Instruction ID: cf79cb8fedec61c6be384906efc58e29d62aabe86b909e96a9e3f4d5701aa111
                                                                                              • Opcode Fuzzy Hash: 499367571ef2794dad0ca9ff2712c66b5363d526a9713fb1dbb7bafebb4d39e6
                                                                                              • Instruction Fuzzy Hash: BA213B71E001189BDB08DF69D894BAEBBF6EF8C310F14C429E419AB365DB719C45CBA0
                                                                                              Function 057A2000 Relevance: .1, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 75b5f6cc5710cda52eb53376b0f1889da2d368cb78f0d56f99f2f9873896d7e4
                                                                                              • Instruction ID: 412c5165da9ab31f2291538648cd184f193e67806a26b997eb319032ad092eff
                                                                                              • Opcode Fuzzy Hash: 75b5f6cc5710cda52eb53376b0f1889da2d368cb78f0d56f99f2f9873896d7e4
                                                                                              • Instruction Fuzzy Hash: 8011E476B002098FCB04DFBDD884A6FBBE6FBC5740B14816EE40A97345CA319C05CBA0
                                                                                              Function 057AA0D0 Relevance: .1, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ebc052c641658ca75b1ae6b530b703789a3265059eb157ec7c461a450b2de803
                                                                                              • Instruction ID: b7adfe8cbbbb5a287729b3db144377f0ef125d344abc747f0d3f36e0c617c34f
                                                                                              • Opcode Fuzzy Hash: ebc052c641658ca75b1ae6b530b703789a3265059eb157ec7c461a450b2de803
                                                                                              • Instruction Fuzzy Hash: FC21B476B10115AFDB14CB69D880DEEB7F9FF88310F548069E505A7350DB31AD01DBA1
                                                                                              Function 057A0FE8 Relevance: .1, Instructions: 64COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4b5274fb9b955d8d515325a33462707691005ccb75397bed035a75e8ce2f1152
                                                                                              • Instruction ID: 23513ebd42fcf1d18d6070f35984d8d666377e5806eaa93550ad0f00231f81a6
                                                                                              • Opcode Fuzzy Hash: 4b5274fb9b955d8d515325a33462707691005ccb75397bed035a75e8ce2f1152
                                                                                              • Instruction Fuzzy Hash: CB11B971340A01ABCF0EA6ADB864ABBBEA3FB9C6117C04434F21C4E354DF665D6597D0
                                                                                              Function 016217A0 Relevance: .1, Instructions: 63COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7fea62a887cbfa5ed642fe4c103fc57974515d6d31f19414353e8da2063c2e33
                                                                                              • Instruction ID: 8102b2d00481fc098547f1d9f2b840a0e4b8be7f4a79cc65e6a911ac327516a9
                                                                                              • Opcode Fuzzy Hash: 7fea62a887cbfa5ed642fe4c103fc57974515d6d31f19414353e8da2063c2e33
                                                                                              • Instruction Fuzzy Hash: C621E775D0074E8BCF00CFA9C5405CDBBF2AF99310F254616E918BB250D7706A5ACBA1
                                                                                              Function 057A221F Relevance: .1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f59678dd563441c4556517e298f0b6b2b9c460506bd44ad28752d3c8f16cf297
                                                                                              • Instruction ID: 5c83198d803b742cd471d96ca898117ba40e460d7cbcaf773409eed2f2481ac4
                                                                                              • Opcode Fuzzy Hash: f59678dd563441c4556517e298f0b6b2b9c460506bd44ad28752d3c8f16cf297
                                                                                              • Instruction Fuzzy Hash: F721A5719107058FCB18EF79D8809AEFBF9FF48310B10866DD44A97661EB30AA46CB91
                                                                                              Function 057A9930 Relevance: .1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 97e8b9f371a91458390b35cc147706a08e6e7ee1108f8077ea10d6695cf7a54b
                                                                                              • Instruction ID: 9a6be310b680ccc3e1e07a6d2354cc767f90e007fb4d86203ee4b2af59f4e45f
                                                                                              • Opcode Fuzzy Hash: 97e8b9f371a91458390b35cc147706a08e6e7ee1108f8077ea10d6695cf7a54b
                                                                                              • Instruction Fuzzy Hash: 6C119335701219AFD705EB69E898A6ABBE6FBC8314F04416DD609C7341DB34AC54D7E0
                                                                                              Function 016271C0 Relevance: .1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bc7bd200627574679bbec4f4975e224ca51a9682f9ad6252e5425850ef72b930
                                                                                              • Instruction ID: c64abae1360c831c6c460a1ebce994ff01a58509a0a76fa66875efc4371c4ba5
                                                                                              • Opcode Fuzzy Hash: bc7bd200627574679bbec4f4975e224ca51a9682f9ad6252e5425850ef72b930
                                                                                              • Instruction Fuzzy Hash: 5511DF31A41741AFDB248B64C856BDA7FB2FB4A320F144429E501AB781CBB50C51CBA5
                                                                                              Function 01621588 Relevance: .1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f203abcc7386b58cee3cba9c4023cfd20f62eff02d25b594fdf4e23c05f0d4cd
                                                                                              • Instruction ID: 28f9124595e8c3e6725aaaf14df44e2045c268c02fbfc144449d7af5f5e30f06
                                                                                              • Opcode Fuzzy Hash: f203abcc7386b58cee3cba9c4023cfd20f62eff02d25b594fdf4e23c05f0d4cd
                                                                                              • Instruction Fuzzy Hash: 4C11A334B045264FD764EBA999503BF76E7AFC5600F288429C91AD7794EF34DC038B92
                                                                                              Function 061324E8 Relevance: .1, Instructions: 62COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b6c21edffa9a40ef2b8e76a8aaeebc1b8852d19fdd792415dec265b9ed0c194f
                                                                                              • Instruction ID: 40d8b846f223ebd86ebc8c9b3218498fec154b4868acbee90593dff2c8bb31f4
                                                                                              • Opcode Fuzzy Hash: b6c21edffa9a40ef2b8e76a8aaeebc1b8852d19fdd792415dec265b9ed0c194f
                                                                                              • Instruction Fuzzy Hash: 0F117971B0121ADFCB44EB69E84469EBBF9FB88315B108479C009E7204EB35AE56CB91
                                                                                              Function 057A6750 Relevance: .1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5ea7440087ea5a5cb3b873abac95274b1a7a962eed4caca527898aa9e7fee049
                                                                                              • Instruction ID: 17d7b3592a3696ce49f581b65559cf53c20482f4b75584855727ba3cd68c340c
                                                                                              • Opcode Fuzzy Hash: 5ea7440087ea5a5cb3b873abac95274b1a7a962eed4caca527898aa9e7fee049
                                                                                              • Instruction Fuzzy Hash: F611B671A002058FC704DF68D980999FBF5FB89314B10836ED415D73A1E731AE06CB91
                                                                                              Function 0162DA69 Relevance: .1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e169c41c4aa5fdbe70958ca1bebdb673700e86e72ab17d14f17c3b037cac383f
                                                                                              • Instruction ID: ad34aeee2cebf38cea9144ffc02a27310d9e00e27e8e53b8567ddfc43484feb4
                                                                                              • Opcode Fuzzy Hash: e169c41c4aa5fdbe70958ca1bebdb673700e86e72ab17d14f17c3b037cac383f
                                                                                              • Instruction Fuzzy Hash: 651156B1A082E48FD716CFA8C8146EA7FB1AF46311F0940FED445AB292CB319C41CFA0
                                                                                              Function 01620E63 Relevance: .1, Instructions: 61COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ca1cc28ce8df66025827c68eeef7f241c1b0a7769e9ca87c3bc25816164cd422
                                                                                              • Instruction ID: af21e41df329b13301d2beef8f925e92894f1f94194a9a5225904fb89aa75e50
                                                                                              • Opcode Fuzzy Hash: ca1cc28ce8df66025827c68eeef7f241c1b0a7769e9ca87c3bc25816164cd422
                                                                                              • Instruction Fuzzy Hash: 0911B170A05AA88FCB12DB68CC2069C7FB1AF49324F25419AE442DF3A6D7308D45CB91
                                                                                              Function 057A2010 Relevance: .1, Instructions: 60COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 28e49eba6a67cfcff385ec32bb3265a48fde189cf996d3859932f4c0a985d6bd
                                                                                              • Instruction ID: 6212915d1865078a91844b0c8fa7d3ae40082f8da63ddad97256970f654eb687
                                                                                              • Opcode Fuzzy Hash: 28e49eba6a67cfcff385ec32bb3265a48fde189cf996d3859932f4c0a985d6bd
                                                                                              • Instruction Fuzzy Hash: A4119075B002198BC708DF7DD888A6FBBE6FBC4741B24852DE90A97345DE319C05CBA0
                                                                                              Function 057A71B0 Relevance: .1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 790a2da604cc4c14a6d397b33b2fb1cc0138399179dd24971f1a2b3486b16b4e
                                                                                              • Instruction ID: 858b4067b551771fe01cd801b54e5e990a4247b7f27ba053d95a16c5a0181368
                                                                                              • Opcode Fuzzy Hash: 790a2da604cc4c14a6d397b33b2fb1cc0138399179dd24971f1a2b3486b16b4e
                                                                                              • Instruction Fuzzy Hash: DE11D072D0134AABCB08CFA0C5405DDFBB2FFC4300F208616E815BB240EB70A986CB81
                                                                                              Function 0613D5F9 Relevance: .1, Instructions: 59COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c225f5863f6ef523ac2114f592df7d71d27b4745e448a1e6e5026442f6ac21a5
                                                                                              • Instruction ID: 8dda43be5442cbaf4bb69eb4ea9eae3da6aa930eab892da8027de50b6f96eb4e
                                                                                              • Opcode Fuzzy Hash: c225f5863f6ef523ac2114f592df7d71d27b4745e448a1e6e5026442f6ac21a5
                                                                                              • Instruction Fuzzy Hash: 3821F475A01218CFDB64DF64D854B98BBB2FF48310F2082E9D10A9B366DB319E85CF50
                                                                                              Function 016FD0EF Relevance: .1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3089437593.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_16fd000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 85e589ff89d53fefa928555ed391731ad88d74b974b24a20ba51987b010bfd2c
                                                                                              • Instruction ID: 843e9d5097771f8e96db092653c0bef5cf40264f2a861b20b391308af50e137e
                                                                                              • Opcode Fuzzy Hash: 85e589ff89d53fefa928555ed391731ad88d74b974b24a20ba51987b010bfd2c
                                                                                              • Instruction Fuzzy Hash: 3621CD76504280DFDB06CF44D9C4B16BF72FB88314F24C6A9DE490B256C33AE42ACB91
                                                                                              Function 0613CDA0 Relevance: .1, Instructions: 58COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3c417cb2fc2c3651d18de35295cb73ba65734973205e1f742acbf62b0eac700a
                                                                                              • Instruction ID: eaf20e2ed9f7b3fb179861a4a2851991d10072f837d79b0aa917eef1137abd5b
                                                                                              • Opcode Fuzzy Hash: 3c417cb2fc2c3651d18de35295cb73ba65734973205e1f742acbf62b0eac700a
                                                                                              • Instruction Fuzzy Hash: 6B211772D1174E9BCB01CFA8D9404CDFBB2FF89310F254626E915BB250EB706A5ACB90
                                                                                              Function 01626738 Relevance: .1, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 683891c14272c212f662658eba28fce68594a381ae12a25433b75c710ecc9b76
                                                                                              • Instruction ID: 029676b1e0842265e4a5c6edc54915bc75e2eaca1dd48472ee9d55e887a33768
                                                                                              • Opcode Fuzzy Hash: 683891c14272c212f662658eba28fce68594a381ae12a25433b75c710ecc9b76
                                                                                              • Instruction Fuzzy Hash: 8D113334B002199B8B10DB6ED84096EFBEAFFD5661704C52AE9199B754EB70ED108BA0
                                                                                              Function 01620E88 Relevance: .1, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bcb38025381cb7991f896fca36554dd9be13faa2021ebcaca3907cb747ea4f3a
                                                                                              • Instruction ID: 40a10700ef9c856bd6ca581b4ee63801509e3672ffdc5ee747c27c69a8c7cbd6
                                                                                              • Opcode Fuzzy Hash: bcb38025381cb7991f896fca36554dd9be13faa2021ebcaca3907cb747ea4f3a
                                                                                              • Instruction Fuzzy Hash: DA114C70A016689FDB14DFA8C858AEEBBF5BF88310F144169E501AB395CBB19845CF91
                                                                                              Function 0613C2C0 Relevance: .1, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: daeb6db9aa4e5277cf2dbd2eab39095ff6195cf1c1da5b8c89e3c47fad20ebf4
                                                                                              • Instruction ID: 21e65fc78287d53f3711674ddec4d46787a9304b4e08fef3e44956af7906d4d5
                                                                                              • Opcode Fuzzy Hash: daeb6db9aa4e5277cf2dbd2eab39095ff6195cf1c1da5b8c89e3c47fad20ebf4
                                                                                              • Instruction Fuzzy Hash: F8119E71E00208EFCB54EFB9D9016DDBFF6AF84204F2485BA850AE7254EB349B45CB90
                                                                                              Function 0613B2E8 Relevance: .1, Instructions: 57COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5b9edfd8ac62bc4047a53e74685a1216212ce7d2180de7dfcf9cfcd4f56e0801
                                                                                              • Instruction ID: 8a2851391dbe38daaa49d0b5a353ff5810d9c50934ca35af6146b7a2a7b85bb8
                                                                                              • Opcode Fuzzy Hash: 5b9edfd8ac62bc4047a53e74685a1216212ce7d2180de7dfcf9cfcd4f56e0801
                                                                                              • Instruction Fuzzy Hash: EE11A0397102109FC709DB68D49992DFFE6ABC8215B90802AE406C7345DB34E847C7A1
                                                                                              Function 01628A82 Relevance: .1, Instructions: 54COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4fda34a0bb9f05d11f2c35249a04d7058f6c5e5ba2173d7353362e0083bb50d3
                                                                                              • Instruction ID: 9f47b14ebc401520198027b9412a8cfb1ca0d529d298e6ae4cb93390b5843776
                                                                                              • Opcode Fuzzy Hash: 4fda34a0bb9f05d11f2c35249a04d7058f6c5e5ba2173d7353362e0083bb50d3
                                                                                              • Instruction Fuzzy Hash: 79019275B00A259FDB208A5DCC84B5ABFF9EF85711F188069EA05EB361DB71DC058B90
                                                                                              Function 057A9919 Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 52f77a3a0f6b92a38fbb6c3a4773007f51594651277ac2d1c019a174398a6775
                                                                                              • Instruction ID: 61c664cb83ff1f18d86f41fe18801a9d6bece7671dfe8cb0e02e5f3ba3b247bb
                                                                                              • Opcode Fuzzy Hash: 52f77a3a0f6b92a38fbb6c3a4773007f51594651277ac2d1c019a174398a6775
                                                                                              • Instruction Fuzzy Hash: E7112731A0A3459FC702DB78D859A6ABFF6FB86214F0441AED244CB352C7399C55C7A1
                                                                                              Function 0170D473 Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3089603505.000000000170D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0170D000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_170d000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                              • Instruction ID: 57f50f05c9ebd013ef9e50c87e27402e89306bfc0cc3d4ef4874463901f77c38
                                                                                              • Opcode Fuzzy Hash: 5bc96cb8dbab4a459d35c79ebbe5ba2a9dff6c5f08df11ade35b896c854f64ae
                                                                                              • Instruction Fuzzy Hash: 7511AC75504340CFDB12CF94D5C4B15FBB1FB84218F24C6A9DC094B296C33AD40ACB52
                                                                                              Function 061324D8 Relevance: .1, Instructions: 53COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 34275736d93f999b9a68b0c4142dea3e364a236eb564a52636dd446deef24d83
                                                                                              • Instruction ID: 6e1aaf65655d171088523ecaf2747a16ed21b737f9a2f78a5894e9e590628412
                                                                                              • Opcode Fuzzy Hash: 34275736d93f999b9a68b0c4142dea3e364a236eb564a52636dd446deef24d83
                                                                                              • Instruction Fuzzy Hash: A1119E71A01216DFCB44DF68D58429EBBEAFB88314B548529C009E7244D735AE49CBD1
                                                                                              Function 057AEF93 Relevance: .1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 49c31161d68a2e40fbc947e24c4f2503db59dece540692e5dcb548c425c335cd
                                                                                              • Instruction ID: a3a194119402e33b6449681b8c5a2bd8ec6c50747dd68212683d04ba24aec442
                                                                                              • Opcode Fuzzy Hash: 49c31161d68a2e40fbc947e24c4f2503db59dece540692e5dcb548c425c335cd
                                                                                              • Instruction Fuzzy Hash: 2111BA76B00119ABDF11CE95DC40AEEF7FAFF88611F14801AE915E3254D77299229BA0
                                                                                              Function 01623D58 Relevance: .1, Instructions: 52COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: aa66daa50df52b2c35faf7efbe3d77adc56c09e38ce6f8467825161486c17c55
                                                                                              • Instruction ID: d2dc2936dc6720f51135c98e95f044bd6138aaa4d609ab5760384f70fd587e03
                                                                                              • Opcode Fuzzy Hash: aa66daa50df52b2c35faf7efbe3d77adc56c09e38ce6f8467825161486c17c55
                                                                                              • Instruction Fuzzy Hash: 0611A132D0174BABCB05DBE8D8004DEFB72EF86320F154252E5117B160DBB1254ACBE1
                                                                                              Function 01622E58 Relevance: .1, Instructions: 51COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ba2404aa17028b2ad3120463fc14dac3450576ebd2cb7d34dd41eabb43c29dc5
                                                                                              • Instruction ID: 600112b52e13b9d565aa0917101107f50244b22923b490f83fd91a0c6ec04edf
                                                                                              • Opcode Fuzzy Hash: ba2404aa17028b2ad3120463fc14dac3450576ebd2cb7d34dd41eabb43c29dc5
                                                                                              • Instruction Fuzzy Hash: 9511F772D0161A9BCB00DFA9D8404DEFBB6EF89721B119626E91577250E7B0254ACBA0
                                                                                              Function 016245D9 Relevance: .0, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c33de604e4d0c9e19f8ffd5ee4bd5fda35a09f953fb2354d82a8d14f0a3d407e
                                                                                              • Instruction ID: 6dc11b1c12973ce04a261ef068506a56c7ef390efdd784225087faff0ed36509
                                                                                              • Opcode Fuzzy Hash: c33de604e4d0c9e19f8ffd5ee4bd5fda35a09f953fb2354d82a8d14f0a3d407e
                                                                                              • Instruction Fuzzy Hash: 39116132D1575A8BCB05DFB8D8004DDBF72AF86320F160666D5047B160E670298AC7A1
                                                                                              Function 0613BD97 Relevance: .0, Instructions: 50COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c92707b0320e98e2a9bcda622aeb74f360d7e7fd745f91c8d9fa63085531a5fc
                                                                                              • Instruction ID: 2e0fca7227263ebf1bcf83678c078867837cda2f67fd9f7d7471ff22109814f3
                                                                                              • Opcode Fuzzy Hash: c92707b0320e98e2a9bcda622aeb74f360d7e7fd745f91c8d9fa63085531a5fc
                                                                                              • Instruction Fuzzy Hash: B801D8767043109BC711EF7AE9549AB7BAADFD42157008567E50ECF251EA389C058790
                                                                                              Function 057A3668 Relevance: .0, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: afdfb88774c7ce4c2dc4d65843147a552e7068e6a59fbb53730d6818aebf8c4f
                                                                                              • Instruction ID: c7e6ead102a3f461215e994ef8f2b1f682ee5ea2d72424bc983f868e4d46b0ef
                                                                                              • Opcode Fuzzy Hash: afdfb88774c7ce4c2dc4d65843147a552e7068e6a59fbb53730d6818aebf8c4f
                                                                                              • Instruction Fuzzy Hash: 29015E753142004FC714DF2DE894D2A7BE6BBD921135488A8E548CF365DB71EC46CB91
                                                                                              Function 0162B5E7 Relevance: .0, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 489fd80f5c7a671a63d35d19290e35ede47d1aab66463d07eeae6885b9ab9a01
                                                                                              • Instruction ID: 4bfb0d40d0d9c14cf119e5d5031304a12c4e5150313efa101cd839bac306f9aa
                                                                                              • Opcode Fuzzy Hash: 489fd80f5c7a671a63d35d19290e35ede47d1aab66463d07eeae6885b9ab9a01
                                                                                              • Instruction Fuzzy Hash: 7A018472E0055A9FCF019F98DC454DEBF71FF56311B01416AE909BB211D7315556CBE0
                                                                                              Function 01620E4F Relevance: .0, Instructions: 48COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4941fad8c9b4b0644dfe6ff51729c8094c0b23826164e8ceba7a9493b35cf5af
                                                                                              • Instruction ID: 124945cc0abae9368b7808e0e6220da88384b2bf9e3491127260ecf215f151ca
                                                                                              • Opcode Fuzzy Hash: 4941fad8c9b4b0644dfe6ff51729c8094c0b23826164e8ceba7a9493b35cf5af
                                                                                              • Instruction Fuzzy Hash: CB118EB0A416698FDB10DFA8C854AEDBBB1BF48310F204159E501AB3A5DB749D41CF90
                                                                                              Function 057A6780 Relevance: .0, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0b797bba4be0703cd9c0aee5c700adf014112c1d782f8d0f85cfcc04f85bd8f9
                                                                                              • Instruction ID: 5d67221183ee597cfb60f172c2599d0b8a05522f90a8cc65ec01a29e853de4f8
                                                                                              • Opcode Fuzzy Hash: 0b797bba4be0703cd9c0aee5c700adf014112c1d782f8d0f85cfcc04f85bd8f9
                                                                                              • Instruction Fuzzy Hash: 7B016175A001158FCB04EF6DD88089EBBF5FF8D3147248269D919E73A5E631AD06CB91
                                                                                              Function 01628BE8 Relevance: .0, Instructions: 47COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e6b0a73e5d6c406dcf472d168fc109e5ae2803efc97fc719c85df3464c05627a
                                                                                              • Instruction ID: 2acfc5d06a137303b5e308cc13639f40a925f9c225957e222fa0bbad693b791c
                                                                                              • Opcode Fuzzy Hash: e6b0a73e5d6c406dcf472d168fc109e5ae2803efc97fc719c85df3464c05627a
                                                                                              • Instruction Fuzzy Hash: 1411C030601625DFCB18CF29CC84A7A77FABB84265F248169D4045B782C736ED83CFA0
                                                                                              Function 057ABFE9 Relevance: .0, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 31f3e8ae613094be2f2d704f3df0d4b9dff0961ee8e87dac1cf8d02dcceac8cc
                                                                                              • Instruction ID: 93195df379662cdf816a7ef1e782a9ba5b4b47d1cf5fa886e75be91914250971
                                                                                              • Opcode Fuzzy Hash: 31f3e8ae613094be2f2d704f3df0d4b9dff0961ee8e87dac1cf8d02dcceac8cc
                                                                                              • Instruction Fuzzy Hash: 3D01F7313003400BC305E378A890AAF7BE7EFD5251358496DD14D8B751DD21AD07C3B6
                                                                                              Function 057A884D Relevance: .0, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2a781f5d94033318a7be0255dc895c977b0098e0960170e6414df982b35c748e
                                                                                              • Instruction ID: cc5185638327344408bb545f96a67d7231eee7ca40e1355e73fb40830de3e01c
                                                                                              • Opcode Fuzzy Hash: 2a781f5d94033318a7be0255dc895c977b0098e0960170e6414df982b35c748e
                                                                                              • Instruction Fuzzy Hash: 0B114870A00119CFEB18DF28E999B6A7BB2FB84301F4085A8E4099B394CF34DD41DFA1
                                                                                              Function 01623D68 Relevance: .0, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 05aa73fc37554bbe2bdcfd41063f57619e5459821f04936eff94ff28bcd9e235
                                                                                              • Instruction ID: 1c4ebb45b43c99c53c7e6e9bc8970924ee5d903b7d1da001100149c17fb49b27
                                                                                              • Opcode Fuzzy Hash: 05aa73fc37554bbe2bdcfd41063f57619e5459821f04936eff94ff28bcd9e235
                                                                                              • Instruction Fuzzy Hash: 89012572D1061AA6CB04DAA9D8004DEF772EF86320F614612E62137160EBB1268ACBA0
                                                                                              Function 061305F2 Relevance: .0, Instructions: 46COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a3f33f75591e7b58f9ba8827296c638e4c4f33e7b8abe37e2ba1984ffd425300
                                                                                              • Instruction ID: 03432d33851565f19cea5138631bd41fcc34dc02ba8b4b3031de156542c12eb0
                                                                                              • Opcode Fuzzy Hash: a3f33f75591e7b58f9ba8827296c638e4c4f33e7b8abe37e2ba1984ffd425300
                                                                                              • Instruction Fuzzy Hash: D0111871905318CFDB15DFA4D884ADDBBB2FF89311F0445A9E509AB224EB369984DF40
                                                                                              Function 016FD9B9 Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3089437593.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_16fd000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f8c208f1a607bfc6e106eb420c728f9c9a07ac99773437bce768db89e50f344e
                                                                                              • Instruction ID: 8ce5aac2f3c5a9bdb1b2d5f0694558fe50d55af4ad506f079f9b4d2728c45ff6
                                                                                              • Opcode Fuzzy Hash: f8c208f1a607bfc6e106eb420c728f9c9a07ac99773437bce768db89e50f344e
                                                                                              • Instruction Fuzzy Hash: 8F0126310083409AE7208BDACC84B26BFE8DF51325F18C51EEE0D0B382C739A844CA71
                                                                                              Function 016271F0 Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2825d1e3d822a85664c814c2a3365d9c5ba44533cc712adfec9d9c450e6041df
                                                                                              • Instruction ID: 5d5823c52abc47d1e29e8207969f0cdae8a0f6e057da5e50d1adbddeaa76b1ea
                                                                                              • Opcode Fuzzy Hash: 2825d1e3d822a85664c814c2a3365d9c5ba44533cc712adfec9d9c450e6041df
                                                                                              • Instruction Fuzzy Hash: 7C018030A01605DBDB149F65C859F9ABBB2FB4C720F144529E901A7780CBB56D40CFA4
                                                                                              Function 016246EC Relevance: .0, Instructions: 45COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d5c43d59c4907c9bf98ff4b018cdd1ee7df1f5378fe95e41bdf4a8a0884236ed
                                                                                              • Instruction ID: 85149c8083f4e9004849b5d086a91c877c72106e339fa3b8cb93b5b3b82a0634
                                                                                              • Opcode Fuzzy Hash: d5c43d59c4907c9bf98ff4b018cdd1ee7df1f5378fe95e41bdf4a8a0884236ed
                                                                                              • Instruction Fuzzy Hash: CF01497090963ACFCB10AFA0DC161FE7F70EF81365F440A66C226A65A0CE340547DF92
                                                                                              Function 01620A17 Relevance: .0, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9aae07c438a01eee937f28361da04310aa17280a969116056b363a25df2b1bf7
                                                                                              • Instruction ID: 6af5eb506670f74bae2edf7dd6d65c188c9cef15f4e88e444f50e9dec1962ac5
                                                                                              • Opcode Fuzzy Hash: 9aae07c438a01eee937f28361da04310aa17280a969116056b363a25df2b1bf7
                                                                                              • Instruction Fuzzy Hash: 77016D75705325AFCB059B69EC508AEBFAAFF852617004A6BE514C72A2DB709C0587E0
                                                                                              Function 0613B120 Relevance: .0, Instructions: 44COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8895eb8c80bcc30299815663ebb04f0c07bf7cd2e3c0fc6bd410352eee5acd11
                                                                                              • Instruction ID: 3742340cdd9edcf9cd92b400c57d4eb5e7847bbccaadfa88e47ae98c6b4b5a62
                                                                                              • Opcode Fuzzy Hash: 8895eb8c80bcc30299815663ebb04f0c07bf7cd2e3c0fc6bd410352eee5acd11
                                                                                              • Instruction Fuzzy Hash: 11018F797002005FCB099B3AE99596ABBE7EBC5211384846EE80ACB745DE75AC05C764
                                                                                              Function 057A3678 Relevance: .0, Instructions: 43COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7857422546cf67aafb5d889b1ea01bce464cee50ff3d5454c9c3206216402b0a
                                                                                              • Instruction ID: 1578a6d5406b162c22ee53e23ba2b34a01bccc7ec09ec8aed0051ac724910ac7
                                                                                              • Opcode Fuzzy Hash: 7857422546cf67aafb5d889b1ea01bce464cee50ff3d5454c9c3206216402b0a
                                                                                              • Instruction Fuzzy Hash: 880146793002008FC614EF2DE894D2A77EBFBDC65135088A8E609CB324DB71EC428BA0
                                                                                              Function 057A10E0 Relevance: .0, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f12feb056fe1da7ffa34141e53a16ce54b6bcb2e53628616c4de3c9407fe0cd4
                                                                                              • Instruction ID: 01ff531b77f4b2938d5ab73536126872935c950363323d6ccdfb57f5cca19722
                                                                                              • Opcode Fuzzy Hash: f12feb056fe1da7ffa34141e53a16ce54b6bcb2e53628616c4de3c9407fe0cd4
                                                                                              • Instruction Fuzzy Hash: ECF0FC377002545EDB25967FF4093EABBD6D7C1161F48807AE14A81180CF68594AD790
                                                                                              Function 0162D629 Relevance: .0, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5548f0a057f1af861744b8e3fe6b2c29f5da9f36154925750a498cf713024f66
                                                                                              • Instruction ID: 522f3875cb1b5271d899b13d6e7dc7e2c70222febbdc203e83c9a4f07cd391bd
                                                                                              • Opcode Fuzzy Hash: 5548f0a057f1af861744b8e3fe6b2c29f5da9f36154925750a498cf713024f66
                                                                                              • Instruction Fuzzy Hash: 84010C74A00128DFDB14DBA8D994DAEBBF6FF88701B148159E909AB355CB35DC01DF90
                                                                                              Function 06138278 Relevance: .0, Instructions: 42COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d7c3bf7b726fab9e5395a1fd71898565a2e07eaa3b8e6c89cdd4c3edc6c8f346
                                                                                              • Instruction ID: e932ec89dedfdb91e73122c2ede7a8f8dcbcbf595660bb7249f3599bec4d8ef1
                                                                                              • Opcode Fuzzy Hash: d7c3bf7b726fab9e5395a1fd71898565a2e07eaa3b8e6c89cdd4c3edc6c8f346
                                                                                              • Instruction Fuzzy Hash: 38F0A435700505ABD719963BA885E2BB797F7C8A00718C12DE90A83744CF34AC06D799
                                                                                              Function 057ABFF8 Relevance: .0, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ae99fcea0536a97c764fb8821a940ee3a8ce004d9e7f2c0b36bb49c823bbd3c8
                                                                                              • Instruction ID: 20f956f3f993c56cbe41a968dc8fb3af095ab7e1a60440ce342ceae499b2711d
                                                                                              • Opcode Fuzzy Hash: ae99fcea0536a97c764fb8821a940ee3a8ce004d9e7f2c0b36bb49c823bbd3c8
                                                                                              • Instruction Fuzzy Hash: 11F0C8313003001BC214E669E880A6FB6E7FFD42917544E2DE54E87344DE246D4683B5
                                                                                              Function 057A9ED7 Relevance: .0, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a0d8dcbceca389dd7a519e14eb380ca2f25221401f93af08f36e716d696914e3
                                                                                              • Instruction ID: ce85ae8c50bfae58950766ac6930efa9d1761302f7625171e6783c7cf8287e2f
                                                                                              • Opcode Fuzzy Hash: a0d8dcbceca389dd7a519e14eb380ca2f25221401f93af08f36e716d696914e3
                                                                                              • Instruction Fuzzy Hash: 94012836B001048FCB01EB6CE56857D77F2FBC8622BA48125E90AD7318EF348C62DB40
                                                                                              Function 016212D1 Relevance: .0, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a35c3a99a3f1024de8e16e61c830bd11ba114af6a0772fcab30effdafa7c69b9
                                                                                              • Instruction ID: d69d1208399b8b76ce36cd76e31afda6827ac875b97eeb7776801efc90e64e51
                                                                                              • Opcode Fuzzy Hash: a35c3a99a3f1024de8e16e61c830bd11ba114af6a0772fcab30effdafa7c69b9
                                                                                              • Instruction Fuzzy Hash: D4017C31A04216DBDB199B74D9186AEBBB2AF89301F24486DD006AB660CB7A8C45CF91
                                                                                              Function 0613CC91 Relevance: .0, Instructions: 41COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 25ff3bd35b3442d5b3a2c609c8c3cb3fdd9a545530483f310c310e15c3fde94d
                                                                                              • Instruction ID: d62662c6e9dc03b160801bd680a868f4fc11461938125e285dc53cf13bdf627e
                                                                                              • Opcode Fuzzy Hash: 25ff3bd35b3442d5b3a2c609c8c3cb3fdd9a545530483f310c310e15c3fde94d
                                                                                              • Instruction Fuzzy Hash: F8018F75B002099BDB00DF64C8557BFBB76FBC4251F20802AE908AB395DB359C5687A1
                                                                                              Function 057A3C20 Relevance: .0, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: ebc664be016a6ced92db7b9a807052eafaeaa82c3d32afc04c98ac664855bca9
                                                                                              • Instruction ID: 756528e1b6696c7e4b371281d5238d4df89197f8346069d808faaf52600f39b3
                                                                                              • Opcode Fuzzy Hash: ebc664be016a6ced92db7b9a807052eafaeaa82c3d32afc04c98ac664855bca9
                                                                                              • Instruction Fuzzy Hash: 46F012313502005BD7145A2AA899F7A77ABEBC8660F55402DF60AC73D0DE719C029765
                                                                                              Function 057A3C10 Relevance: .0, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 825088c7468ffc618c5042f4e82ca5f54da2fbc12036c623a33c21818eea56c9
                                                                                              • Instruction ID: bbc3ec96c9dde012ffb8f48116e43452649e98e3ccb7b5ea02d07b79005c8338
                                                                                              • Opcode Fuzzy Hash: 825088c7468ffc618c5042f4e82ca5f54da2fbc12036c623a33c21818eea56c9
                                                                                              • Instruction Fuzzy Hash: 4EF0C2323442005BE7049A29ACD5F6A7B66EBC9620F54406AFB06CB3D1DE61DC05D361
                                                                                              Function 057A7897 Relevance: .0, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: aa55f2b7a60a3509aa3791c8f902158dd6db18e303be6782270f37abc2cba181
                                                                                              • Instruction ID: 33f2bee76b39e0da2ffc4008be85b3ad1267e9c4c29c52b525bcaeccbe23053e
                                                                                              • Opcode Fuzzy Hash: aa55f2b7a60a3509aa3791c8f902158dd6db18e303be6782270f37abc2cba181
                                                                                              • Instruction Fuzzy Hash: 58F0AF35701240AFC714CB6CD8509A6B7E6EFCE310724809AE548CB366C660DC02CB40
                                                                                              Function 01625A28 Relevance: .0, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 91e896b7196d7645cba032ae63bb228a3c94915a32fb4f0640cb82f378f5e760
                                                                                              • Instruction ID: 7ab407307695f918e6be16eb44cdf6483863bfa9b41ba603b5a1fb97db14b234
                                                                                              • Opcode Fuzzy Hash: 91e896b7196d7645cba032ae63bb228a3c94915a32fb4f0640cb82f378f5e760
                                                                                              • Instruction Fuzzy Hash: 72018B31A00619ABCB249FA9C855AEEBEB2AF8C350F008429E916B7350CF715850CFD0
                                                                                              Function 01626EC8 Relevance: .0, Instructions: 40COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d350ca178fe2e00518becba753ac4611317e909c8b13cb0dab6661e9d43829aa
                                                                                              • Instruction ID: 09ccd5550322c224e7d1ad56502856ce67538e9c804723199be6012a5987cff7
                                                                                              • Opcode Fuzzy Hash: d350ca178fe2e00518becba753ac4611317e909c8b13cb0dab6661e9d43829aa
                                                                                              • Instruction Fuzzy Hash: D4F0B4752093905FD7225679EC01A977FAADE8325234408AFE149CBA12DA259844C7B1
                                                                                              Function 057A6627 Relevance: .0, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0c7b5b993add10ac463cbe17d193a500da402d471aa0c2ff1f76e7030f023fb2
                                                                                              • Instruction ID: ab1467020810b94cda9eecddcf16c2c11f4780c38701995f06badd93e76ac003
                                                                                              • Opcode Fuzzy Hash: 0c7b5b993add10ac463cbe17d193a500da402d471aa0c2ff1f76e7030f023fb2
                                                                                              • Instruction Fuzzy Hash: 74014636B002149FCB18CF68D484DAC77B2BBC8315B084699E9059F350CF31EC81DBA1
                                                                                              Function 01621858 Relevance: .0, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dd531685a2f7cea997ea537f791b1856ab3d104ab908f3579eda1fa6028dfd7d
                                                                                              • Instruction ID: 9002619828f1e30896c9040ff769f05b8ad913914e0125dedf043ca65e49df6d
                                                                                              • Opcode Fuzzy Hash: dd531685a2f7cea997ea537f791b1856ab3d104ab908f3579eda1fa6028dfd7d
                                                                                              • Instruction Fuzzy Hash: BAF0C232D102199BDF19DB70C4595EFBBF69F85300F15892AD116B7280CEB45A47CBC2
                                                                                              Function 0613CCA0 Relevance: .0, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e3d2578291cbb4507a694f76e4c9434d96c05c61f30fb24e050743ba64223a42
                                                                                              • Instruction ID: 59b42f79773f0447bfd31e6910e76d66521919ffbe30742d281b46038ce674f5
                                                                                              • Opcode Fuzzy Hash: e3d2578291cbb4507a694f76e4c9434d96c05c61f30fb24e050743ba64223a42
                                                                                              • Instruction Fuzzy Hash: FEF08C75B002199BCF04DF65D854ABFBBB6FBC8311F208029E90967345CB35AC528BA1
                                                                                              Function 0613C242 Relevance: .0, Instructions: 39COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 827f3430cc274dcd78e1e4a23b90e01c6c84d0f17fdfca7ee858c288b29d8e22
                                                                                              • Instruction ID: c1ee9097198cb43cf8b893b9b27b171e71194741b0a6e6eb9252c1923d393598
                                                                                              • Opcode Fuzzy Hash: 827f3430cc274dcd78e1e4a23b90e01c6c84d0f17fdfca7ee858c288b29d8e22
                                                                                              • Instruction Fuzzy Hash: DDF0B47AB10220479B549BBDA6497BE3BDF9BC41627088036F906D3204EF34C80193E0
                                                                                              Function 01623DF1 Relevance: .0, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 895c21a90aa9f31ad5c868835a677258d88ee4f1392a65c791187e82124000ee
                                                                                              • Instruction ID: 9dc1ad1cee4c9bea19634957e533e6d50093a65e42a1f7b51821a967e8a1d187
                                                                                              • Opcode Fuzzy Hash: 895c21a90aa9f31ad5c868835a677258d88ee4f1392a65c791187e82124000ee
                                                                                              • Instruction Fuzzy Hash: 2DF0F631E0025AA7CF15DB74C8569EFFFBA6F84311F00852AD506AB740DF74591A87E2
                                                                                              Function 01622F20 Relevance: .0, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: de726f03956d7f09e19e659a35169ae0c3593b25a9b132fe585d67cdcd00b958
                                                                                              • Instruction ID: 987674b89ce61b97d7c4dc4dbdb27aafa4fe5db0c1b49eccfe87cc9a5ff349a0
                                                                                              • Opcode Fuzzy Hash: de726f03956d7f09e19e659a35169ae0c3593b25a9b132fe585d67cdcd00b958
                                                                                              • Instruction Fuzzy Hash: F0F09631A012169BDF049A64C4659EFBFB65F85300F01893AD402AB250DF75590797D2
                                                                                              Function 0613E240 Relevance: .0, Instructions: 38COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4e51fb542becf1ee2c89b3c4afab613a2fc467c996471a7336e1b800b7fda31a
                                                                                              • Instruction ID: acc64fc2dc767f9f26d425fd1f2061f3f3753ee3422144d40067380a3366e25e
                                                                                              • Opcode Fuzzy Hash: 4e51fb542becf1ee2c89b3c4afab613a2fc467c996471a7336e1b800b7fda31a
                                                                                              • Instruction Fuzzy Hash: B2F0E2357003109BC3189639AC04A6B77ABFBC9622B148439FA0AC7744CE71EC039BA0
                                                                                              Function 0162B220 Relevance: .0, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 23a7ea01c27a10997b44c3f8495f957af332f9280697a4d9774db907f7def3dd
                                                                                              • Instruction ID: 458bbc5fb254445d55631b4323ced2bdb8fa4c818bdfa3b84758ea609f79894a
                                                                                              • Opcode Fuzzy Hash: 23a7ea01c27a10997b44c3f8495f957af332f9280697a4d9774db907f7def3dd
                                                                                              • Instruction Fuzzy Hash: 57F089363006208F87159B7DE84486ABBE9FBC9225310457EE10DC7721DF319C06CB90
                                                                                              Function 01624669 Relevance: .0, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 620d78a0fe00fad8a5d14d9b22d38a09883be9db53dc6f91612e68868f38ab07
                                                                                              • Instruction ID: 6730c00fa65846510334499da12199015d8c5ec5e3359ff0117d1ced769ee845
                                                                                              • Opcode Fuzzy Hash: 620d78a0fe00fad8a5d14d9b22d38a09883be9db53dc6f91612e68868f38ab07
                                                                                              • Instruction Fuzzy Hash: F2F0F072A111699BCB09EB68C8259EFBFA69F84301F11452AD012BB250EE71190A87E3
                                                                                              Function 0613F4BA Relevance: .0, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: da9f9a263a2bbb8bd9e765bc34c31385c58a54f23d5b4ab094c9c647691ca34d
                                                                                              • Instruction ID: e4643679bfc17c9f06d3021d1d3b8a142ac59a07a143e145ed18ae2f96411822
                                                                                              • Opcode Fuzzy Hash: da9f9a263a2bbb8bd9e765bc34c31385c58a54f23d5b4ab094c9c647691ca34d
                                                                                              • Instruction Fuzzy Hash: CEF0276AB017560BE745737AA81273F3AC68FC1120F154129F502CB7C8CF288D0383A2
                                                                                              Function 0613AD35 Relevance: .0, Instructions: 37COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 85a3e6ed63154d32903eca0b9b634bb580e90e7fb2a1f4f638481e7d24922d26
                                                                                              • Instruction ID: 5f9b97e3be6292b89760e62655fee761c8653f1a3d53d7d482325ad2e0694896
                                                                                              • Opcode Fuzzy Hash: 85a3e6ed63154d32903eca0b9b634bb580e90e7fb2a1f4f638481e7d24922d26
                                                                                              • Instruction Fuzzy Hash: 07F0A08361A3704BF30B627CECB23CABF96DFD1757F484467C18CC5692CD08484A82A6
                                                                                              Function 057AE2C0 Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4b9cfcdc4ee4717594720b1debd11bbd6745634f20241505b97146f9e8c891fa
                                                                                              • Instruction ID: 32fe87291e31d42385e8f9550de1b673b2779042f5839a522ae89086493a879b
                                                                                              • Opcode Fuzzy Hash: 4b9cfcdc4ee4717594720b1debd11bbd6745634f20241505b97146f9e8c891fa
                                                                                              • Instruction Fuzzy Hash: B9F0467291010997CB06DB70C166AFFFFBA4F84300F85892AC002BB281DE75690797C3
                                                                                              Function 016FD9B8 Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3089437593.00000000016FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 016FD000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_16fd000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3c8e99b7b056122d4f7a0958511edd66ca0172f907af4ec0150c0d3c602dd65f
                                                                                              • Instruction ID: a1f9f84f28924fd80539e2b46be0c8b574913c638b561aaf1cc3f60a06da711c
                                                                                              • Opcode Fuzzy Hash: 3c8e99b7b056122d4f7a0958511edd66ca0172f907af4ec0150c0d3c602dd65f
                                                                                              • Instruction Fuzzy Hash: 48F0C2310083409EE7208A4ADC84B62FFA8EF40734F18C05EEE095B287C379A844CA70
                                                                                              Function 016212E0 Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 04bc72b26af40e4c32d5781ea4a0847d9ff02b0ca0068ca92a13e2f11ce425b7
                                                                                              • Instruction ID: 539938a1d4e48bb997851c651ff4bc8787c2be4d5fda5ccc0939655687bca198
                                                                                              • Opcode Fuzzy Hash: 04bc72b26af40e4c32d5781ea4a0847d9ff02b0ca0068ca92a13e2f11ce425b7
                                                                                              • Instruction Fuzzy Hash: 27F03131A04219DBDF199B64D9186AE7BF2EB89700F140479D401BB760CB7A5C45CF91
                                                                                              Function 016214E0 Relevance: .0, Instructions: 36COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 552553e7a26eda9a59e1fc839aa57efd56532e1709811786fd7a1111f307278e
                                                                                              • Instruction ID: 5652d47cea241336fc0219c6fc7432c7eeb1a931dda0012c03bd7e678a9a2273
                                                                                              • Opcode Fuzzy Hash: 552553e7a26eda9a59e1fc839aa57efd56532e1709811786fd7a1111f307278e
                                                                                              • Instruction Fuzzy Hash: 4AF059713063500FC7029B2CE8028DE3FE2EFE6251304886AE149CB711DD20AC4687E6
                                                                                              Function 01625BBF Relevance: .0, Instructions: 35COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c9fa1a35a199fcf11bd85dce7a81100fe862d10d51af9dbdca19443ee8f801ff
                                                                                              • Instruction ID: e936e920168767bb25668ad2ccbde87f060ad8bad1f7e49bbab609a65c5febfd
                                                                                              • Opcode Fuzzy Hash: c9fa1a35a199fcf11bd85dce7a81100fe862d10d51af9dbdca19443ee8f801ff
                                                                                              • Instruction Fuzzy Hash: 65F02E353095A49FC7529A6CEC14DC17F95DF8563671440DFF588DB523C622D805CBE0
                                                                                              Function 01625BEF Relevance: .0, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 198b044f85026c8f49ebdef3bc8de32ac0e605b4fa697032c215e72f6fb02e77
                                                                                              • Instruction ID: 0f992d20aedfee548d48cae6181534505faf9e49a6060b0a9bb8a73f546572d1
                                                                                              • Opcode Fuzzy Hash: 198b044f85026c8f49ebdef3bc8de32ac0e605b4fa697032c215e72f6fb02e77
                                                                                              • Instruction Fuzzy Hash: 56F0E239701B616FC3158B2EC848C41BBB5EF8662131641AAF915CB332EA20DC01CBA1
                                                                                              Function 0162A500 Relevance: .0, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f848256e64f9a652863d5b94a05d8625f23f1b5d9f94e78166345d0033f05c0c
                                                                                              • Instruction ID: 67bff2bb1b016b0350206d43d93d13cc9156e4ee42261ae0f80e7d8dc4f84cdf
                                                                                              • Opcode Fuzzy Hash: f848256e64f9a652863d5b94a05d8625f23f1b5d9f94e78166345d0033f05c0c
                                                                                              • Instruction Fuzzy Hash: D7F027327007202BC221AAAA9C50B577BE7DBC5760F14895EE689D7341CD20BC06C7E5
                                                                                              Function 0613CEAA Relevance: .0, Instructions: 34COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 86722b6760d1acf5c82d762ab04cb12347d6d0b0df1243f445d7eca8a659f661
                                                                                              • Instruction ID: 6990e670ad21bd8006e6fa763fe70d449d10e355fb2126cd26667443ecb50725
                                                                                              • Opcode Fuzzy Hash: 86722b6760d1acf5c82d762ab04cb12347d6d0b0df1243f445d7eca8a659f661
                                                                                              • Instruction Fuzzy Hash: 38F090729201099BDF05DBB0C5666EFBBEA9F44310F01882AD416BB244DF70650A8BD2
                                                                                              Function 057A4338 Relevance: .0, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e9e825890f27ddc21708de6dc357c71ad314220ec5895d9b5475773bfd5ad3b5
                                                                                              • Instruction ID: 8c303e06e28b645a3dc276c73c42ea8e8f8a875d19bb545c185bc649b6fe66a7
                                                                                              • Opcode Fuzzy Hash: e9e825890f27ddc21708de6dc357c71ad314220ec5895d9b5475773bfd5ad3b5
                                                                                              • Instruction Fuzzy Hash: 09F082317501208BC6089B1DD409D597BEBAFD9B11F158056F506CB3B1CFB2DC028BA5
                                                                                              Function 057AE2D0 Relevance: .0, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 42733151601edd35cf92a67ec95208fa4427ad74b79f38baf914a70d3a1ea393
                                                                                              • Instruction ID: 02430cac5325bb85b713facd6f4d472f9dcb5d02fc1cc2717aa5e688b9b95e5b
                                                                                              • Opcode Fuzzy Hash: 42733151601edd35cf92a67ec95208fa4427ad74b79f38baf914a70d3a1ea393
                                                                                              • Instruction Fuzzy Hash: 53F08272E1020A97DF05EB74C4559EFBFBA9F84310F41892AD412BB240DEB4690A96D2
                                                                                              Function 01624678 Relevance: .0, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3636e27f6a30c5a188171df621ce99cd0f074d0013dc46cef24058cfb7aef38b
                                                                                              • Instruction ID: ef50e1a2d1b055f932de845011d8ad1b2227e0cd79c01ea848677c78d048a257
                                                                                              • Opcode Fuzzy Hash: 3636e27f6a30c5a188171df621ce99cd0f074d0013dc46cef24058cfb7aef38b
                                                                                              • Instruction Fuzzy Hash: 42F0E272E1021997CF15EB64C865AEFBBBA9F84300F11842AC013BB240DE7069068BD3
                                                                                              Function 0613CEB8 Relevance: .0, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 159e1128bb347b775833f0915bf5bc3776fd8b58ae16b220ee7dedba50858fb2
                                                                                              • Instruction ID: 15fbe6dd653e9677ce5d6f0ec7bf45acea0d88758464a18f27087ccb9273faf1
                                                                                              • Opcode Fuzzy Hash: 159e1128bb347b775833f0915bf5bc3776fd8b58ae16b220ee7dedba50858fb2
                                                                                              • Instruction Fuzzy Hash: CFF08272E201199BDF05EB74C455AEFFFBA9F84310F41882AD417BB240DF74690A86D2
                                                                                              Function 0613ACB8 Relevance: .0, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2c935282641d9b53ac4548188b00f645bc8e9b9adbdfad1e147905086c11b1ef
                                                                                              • Instruction ID: c6d8983312324656b57f2113ef3f93fedf9eca17714830663d5d17e3b4f147db
                                                                                              • Opcode Fuzzy Hash: 2c935282641d9b53ac4548188b00f645bc8e9b9adbdfad1e147905086c11b1ef
                                                                                              • Instruction Fuzzy Hash: B5E0E57530020457E30CA6697C9577BA29BF7C4651B54812DE609C7754CE258C079290
                                                                                              Function 0613E560 Relevance: .0, Instructions: 33COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7433552650b3642b4f61dd84de3eb1945cbd09e20278ff78af9c3204ae43a9e8
                                                                                              • Instruction ID: 5c4cc6a6367772abd132c9483e31371fcbf33ff6bdc7fd3fa44d93d8cd344d2a
                                                                                              • Opcode Fuzzy Hash: 7433552650b3642b4f61dd84de3eb1945cbd09e20278ff78af9c3204ae43a9e8
                                                                                              • Instruction Fuzzy Hash: D8F05E353401209FD6095A29D41996D7BBA9FCCB11F158056F506CB3A1CFB2DC028791
                                                                                              Function 01625CC7 Relevance: .0, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d2264d0032bc3415ad98773fcfd58c727c52a4d1763aa0dde103efb16d8f9d14
                                                                                              • Instruction ID: 8bd77b71d7f63e2ececa85113a2137da1b8518b5bcd30eb7fd55e2a77936a733
                                                                                              • Opcode Fuzzy Hash: d2264d0032bc3415ad98773fcfd58c727c52a4d1763aa0dde103efb16d8f9d14
                                                                                              • Instruction Fuzzy Hash: 37F089367199964FC316C76CD8548643FE6EFC631131A41FAE445CBB72CA24DC45CB64
                                                                                              Function 0162A4A8 Relevance: .0, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4d72773faf6d0a5cf51f2266a976d282591cafef915ffacb4053d76db1aeeac7
                                                                                              • Instruction ID: b940ab673415208e4e8acf8e4c8dfb6a40d39f25793d90ec77d78714c167a5b6
                                                                                              • Opcode Fuzzy Hash: 4d72773faf6d0a5cf51f2266a976d282591cafef915ffacb4053d76db1aeeac7
                                                                                              • Instruction Fuzzy Hash: A8F020327007501BC264AAA9AC10B7B27E7ABC6B60F24896FE649C7384CC216C05C7A1
                                                                                              Function 01622F30 Relevance: .0, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bdbc6f9609558b4d6e5af5442ed731152fa6dd853e483aea1568601eb3c98d3a
                                                                                              • Instruction ID: f1a268a69455a6de57ad817c4f87bc1976518cd642ec60bd84d11645a75c9c81
                                                                                              • Opcode Fuzzy Hash: bdbc6f9609558b4d6e5af5442ed731152fa6dd853e483aea1568601eb3c98d3a
                                                                                              • Instruction Fuzzy Hash: 29F08272E102199BDF04DB65C825AEFFFB69B84300F01892AD402BB280DF7059068BD2
                                                                                              Function 0613D830 Relevance: .0, Instructions: 32COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 647faf890fd948885ae81f77f783b5e6f4de6cd2404c1a61d951785e2d7a0f08
                                                                                              • Instruction ID: 4078ccdc01b53a6265880f0c08c6ddb967837cce2a80e9f6177e418bab0687ee
                                                                                              • Opcode Fuzzy Hash: 647faf890fd948885ae81f77f783b5e6f4de6cd2404c1a61d951785e2d7a0f08
                                                                                              • Instruction Fuzzy Hash: ECF0BE32D100699ACB40CBB8E9023ECBBB1EF40215F18C5F7D928E7141E3389724EB90
                                                                                              Function 057A4327 Relevance: .0, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2cdd012609ed6144da5ba3a23ec1b091fe32ede9ba9194399ab4074c0f81de7c
                                                                                              • Instruction ID: 24b6dd158908699bbd1866dfdc0ba0aad6f48111427823d6f0a586a1c358c247
                                                                                              • Opcode Fuzzy Hash: 2cdd012609ed6144da5ba3a23ec1b091fe32ede9ba9194399ab4074c0f81de7c
                                                                                              • Instruction Fuzzy Hash: 00F0E2367041118FC705CB1CD409A583BE7AFDA711B0940AAE60ACB3B1DFB2DC028B50
                                                                                              Function 0613ACC8 Relevance: .0, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a2524d42d3e7807e197f568a05fd48a1aa13255e0291ee49c6a56f5aa48e1aac
                                                                                              • Instruction ID: 9087aa34ea2155c22d945394a2ff2cacf2feab944fd9b8e398b8acb7251ee041
                                                                                              • Opcode Fuzzy Hash: a2524d42d3e7807e197f568a05fd48a1aa13255e0291ee49c6a56f5aa48e1aac
                                                                                              • Instruction Fuzzy Hash: 28E09A35300218679308666E7C9497BB6AFEBC9A61354802CEA0AC7384CE698C0792E4
                                                                                              Function 0613E550 Relevance: .0, Instructions: 31COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 95bb03e5e295881890a0082e2f7d97ad82aed5eb74c6f1a80d612b886c341ec5
                                                                                              • Instruction ID: ad4f596ed9501829d706ec65c0db6b9cd08235afa1f222445425cf15862f7406
                                                                                              • Opcode Fuzzy Hash: 95bb03e5e295881890a0082e2f7d97ad82aed5eb74c6f1a80d612b886c341ec5
                                                                                              • Instruction Fuzzy Hash: C6F05E797002209FD7098A2CD5559597BB69FC9B11B1580A6F506CB3B1DE71DC428B50
                                                                                              Function 057A1431 Relevance: .0, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 1844eed04e082b2ffa7fc935693a4c0c78b2229e47eaf08a826594c3bd8b543a
                                                                                              • Instruction ID: c31a2a2ad2ee3106f2618ac11292cf0933e615a6d458e2b7c6764574bf19f667
                                                                                              • Opcode Fuzzy Hash: 1844eed04e082b2ffa7fc935693a4c0c78b2229e47eaf08a826594c3bd8b543a
                                                                                              • Instruction Fuzzy Hash: C4F030722141256FD308DB49EC8996ABFADEBC9668B24915EF50CCB252D722DD03C7A0
                                                                                              Function 0613D7F0 Relevance: .0, Instructions: 30COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d28d56591cffcaaff69ce3a9eb4b086af60ab5f69f7d9d1d3ee6ad07118daad8
                                                                                              • Instruction ID: d7f727291d5f0b61c6075af1977e82d7b5a8e2baff28914732d733c0203f00ab
                                                                                              • Opcode Fuzzy Hash: d28d56591cffcaaff69ce3a9eb4b086af60ab5f69f7d9d1d3ee6ad07118daad8
                                                                                              • Instruction Fuzzy Hash: E7E02B3370001247C70886ACF9063EC73DADFC4125F08847BD21CDB654DA2CC8065250
                                                                                              Function 0613C1F0 Relevance: .0, Instructions: 29COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 9d08ae68f2c0926da8622ddb12b8ca893020360785f00ff4f29c570868762d9c
                                                                                              • Instruction ID: af01cf079fefee6253ed6d65f1e79844e436e9d7ace794f241ffd5adb9b0e2b0
                                                                                              • Opcode Fuzzy Hash: 9d08ae68f2c0926da8622ddb12b8ca893020360785f00ff4f29c570868762d9c
                                                                                              • Instruction Fuzzy Hash: 75E065317451245BE34D9A59D42477AB796DFC4360F14406DD50ADB350DF26AC41C7D0
                                                                                              Function 057ABEEA Relevance: .0, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8940672e61778bef8ed08b3e8fe1e1b764bcc79e078de5a522e68b029f8fa671
                                                                                              • Instruction ID: 5f0689069f3ba01afb502a7548517179c9657a75c604d09065033dfecd176320
                                                                                              • Opcode Fuzzy Hash: 8940672e61778bef8ed08b3e8fe1e1b764bcc79e078de5a522e68b029f8fa671
                                                                                              • Instruction Fuzzy Hash: BDF0B472A193888FC742CF78E95569C7FB1EB46211F0549EFC444CB252D7345B05C761
                                                                                              Function 01620950 Relevance: .0, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6828bd5f68d2066b1ae4ebc0d1180a9bada3b0be97d67fad661e399216f9474e
                                                                                              • Instruction ID: c035eec8479afea81527b2bdf2c2596a45b10bc3512df81591614986d5c3b556
                                                                                              • Opcode Fuzzy Hash: 6828bd5f68d2066b1ae4ebc0d1180a9bada3b0be97d67fad661e399216f9474e
                                                                                              • Instruction Fuzzy Hash: 7FF0DA74E041199FCB54DFA9D809AAEBBF6EF48210F408065E918E3201E7349611DF90
                                                                                              Function 0162C0C1 Relevance: .0, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 58831602ca7d393c5ba3fe953f6a76ae4c778fd263ce6fe6cce3e771c7f97e64
                                                                                              • Instruction ID: 1884da0c8bf104ec938edfced27ad21a05bc9ccac5c7ee24aa05ab765f33522e
                                                                                              • Opcode Fuzzy Hash: 58831602ca7d393c5ba3fe953f6a76ae4c778fd263ce6fe6cce3e771c7f97e64
                                                                                              • Instruction Fuzzy Hash: B7F0A935A42108EBDB04DF84F985BDCBB72EF44305F208015FA016B2A1CBB26D85CF40
                                                                                              Function 0613D8A0 Relevance: .0, Instructions: 28COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 62f231b4986a36d24c31e91ad9bd76aa1763a067d6194addcd391d2959e26103
                                                                                              • Instruction ID: 5eb47b236a1d0ac297f8789278805bc28093fc9f4fd7f1134001d6f8d4b64b23
                                                                                              • Opcode Fuzzy Hash: 62f231b4986a36d24c31e91ad9bd76aa1763a067d6194addcd391d2959e26103
                                                                                              • Instruction Fuzzy Hash: A1E02232F047645BCB21566DF4083AABBDACFC5231F18846AE88E83640EBB4648583A0
                                                                                              Function 057A1440 Relevance: .0, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 542b21bffb23d40b75a8938c9c27fc86de3e8ee2768074dbac21a5ec02e5f9cd
                                                                                              • Instruction ID: 5c370f4fa25fa3c694e597a87d185d806cacc895f0d941908c80089cdfa54317
                                                                                              • Opcode Fuzzy Hash: 542b21bffb23d40b75a8938c9c27fc86de3e8ee2768074dbac21a5ec02e5f9cd
                                                                                              • Instruction Fuzzy Hash: 52E012726041246F9204865A9844C67BBEDEEC9568324415AF50CC7202D6239C0387B4
                                                                                              Function 057A90F9 Relevance: .0, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 31e74dd14eaa1453204acdc698e716fe70457717cf93b18e129812777523a731
                                                                                              • Instruction ID: 5fbf150b7cbee8b406420da857a7826dfb94a8d359985d8ac8de5f18a3afd4c1
                                                                                              • Opcode Fuzzy Hash: 31e74dd14eaa1453204acdc698e716fe70457717cf93b18e129812777523a731
                                                                                              • Instruction Fuzzy Hash: FFF09030604201DFD701EB24E469B793BB2EB82304F104499E5058F251CBB95C86DBD5
                                                                                              Function 01627170 Relevance: .0, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: da0061ac83fd29024d0873676caa53c6a9609cbfc34dc52334ad3c64b11b2c70
                                                                                              • Instruction ID: 98dd8c534904d8472a28ed5261aacafd6f89b86b924944502af5deb3e636f882
                                                                                              • Opcode Fuzzy Hash: da0061ac83fd29024d0873676caa53c6a9609cbfc34dc52334ad3c64b11b2c70
                                                                                              • Instruction Fuzzy Hash: 62E0D871700314134204666AAC41C9F7A8AFAD2561354893EE20E8B344EE669C0AC7E8
                                                                                              Function 01621BD9 Relevance: .0, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a5c9959970de682435202128c13f6dd706a7d9dbdffce9ee3c949f24281ac3ab
                                                                                              • Instruction ID: e3c9f9210829ab40eaeb13f7e5b50b4171610abea791938b6255d54aada7de64
                                                                                              • Opcode Fuzzy Hash: a5c9959970de682435202128c13f6dd706a7d9dbdffce9ee3c949f24281ac3ab
                                                                                              • Instruction Fuzzy Hash: 99E0392460D3A05FCB07C738C4A09A23FE08F4621470981CAE088CB253D41ACC4AC796
                                                                                              Function 06131EC9 Relevance: .0, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 90f48da98a9158ea987596136f655d3eb381de43c9defdc0f44002919560e94f
                                                                                              • Instruction ID: 2cfae884fc90be563f57a9fdd006a0233de87354978d39489ca638c0962f9fe8
                                                                                              • Opcode Fuzzy Hash: 90f48da98a9158ea987596136f655d3eb381de43c9defdc0f44002919560e94f
                                                                                              • Instruction Fuzzy Hash: 24E0D8BB60A3404FD315CB74F8952447FAAEF8A17070584BFD14AC7296DE348808C720
                                                                                              Function 0613D890 Relevance: .0, Instructions: 27COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 303de99cd6b670479575eb30140c3528629728d35e09731c7c5507ad6c0244ad
                                                                                              • Instruction ID: 4d3076ec64c9e9ac4759c8f98d23c0549ad27111803475f3f266ffa163d7767e
                                                                                              • Opcode Fuzzy Hash: 303de99cd6b670479575eb30140c3528629728d35e09731c7c5507ad6c0244ad
                                                                                              • Instruction Fuzzy Hash: 5DE09263D047645BD7218629E804786BBD9DFE6324F28E46AD4AEC3341E7A4A48483A1
                                                                                              Function 06132898 Relevance: .0, Instructions: 26COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 736afa01c2bf68ecfa9da0eee28653ce5c27367c275e6d36a029c63fd7fdddf3
                                                                                              • Instruction ID: 028db6d83d96bd61ba33c177003a227b70756dfdd9b2bbd1bc892515c1d9a7f5
                                                                                              • Opcode Fuzzy Hash: 736afa01c2bf68ecfa9da0eee28653ce5c27367c275e6d36a029c63fd7fdddf3
                                                                                              • Instruction Fuzzy Hash: 69F0E531B44008DFCB40CFACED44B9E7BBAFB84210B108026E009E3124EB304D96DB44
                                                                                              Function 0162855C Relevance: .0, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: cf598f7338f1d572b684ed66ea481acafa0c907f5189d2833f47cf640bc74721
                                                                                              • Instruction ID: 4b0ad403ff86b75437e9fc1002dceca4e59364d4a05b0bfe80c124b7ae52e068
                                                                                              • Opcode Fuzzy Hash: cf598f7338f1d572b684ed66ea481acafa0c907f5189d2833f47cf640bc74721
                                                                                              • Instruction Fuzzy Hash: A2E02B30009794CFC3218B14DC683617BF5FF4231AF18565EC486472C2C730A80ACB40
                                                                                              Function 01622FB0 Relevance: .0, Instructions: 25COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: bf1f4323b708acc0f276ff7eb1e648af8e1625d39404a63a5717c971b9601c7d
                                                                                              • Instruction ID: 32e77c83e6b26f8c0ac41c213868ae2d7f3d2f6376f18b63cc80a3faa0bb8e91
                                                                                              • Opcode Fuzzy Hash: bf1f4323b708acc0f276ff7eb1e648af8e1625d39404a63a5717c971b9601c7d
                                                                                              • Instruction Fuzzy Hash: 59E02632248628599B11FABDB810CAFBFEC9E551A0701413BEE84CB201EB10CAD597E5
                                                                                              Function 057AE344 Relevance: .0, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 86727edc69040b74b067d7bd2af554c55a4f1cc105150d5e1d2742f871b54693
                                                                                              • Instruction ID: 660608ae9654e684db5e85786e66561d920a2a409a1a51dfe9c8aba7d8977fe8
                                                                                              • Opcode Fuzzy Hash: 86727edc69040b74b067d7bd2af554c55a4f1cc105150d5e1d2742f871b54693
                                                                                              • Instruction Fuzzy Hash: EEE02BB28092468BE3009B64885626DBF71DBA1304F44058AC4429D151C67C8607A392
                                                                                              Function 01622EF0 Relevance: .0, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 27f5e9b0505df5128f52a85e63ce4354230e4e82ce4f14c377a990a2d34d0dca
                                                                                              • Instruction ID: e10123607e7762b965fad1b66df0f909bf3b2b4fb446eeb704b0b50fef64476c
                                                                                              • Opcode Fuzzy Hash: 27f5e9b0505df5128f52a85e63ce4354230e4e82ce4f14c377a990a2d34d0dca
                                                                                              • Instruction Fuzzy Hash: 91E04F642556805FDB0ACB58CAD4A513FA1DB4631570AC0D9E089CF353D665DC13CB90
                                                                                              Function 0613E230 Relevance: .0, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d65d7c7b8fba5286b69bd0be55473c8ce5b45ed3477436885c00830015cc9ed5
                                                                                              • Instruction ID: 0423377b7d22889135abb6bf327dc3a8093eb844893681f81abb7df19f526a29
                                                                                              • Opcode Fuzzy Hash: d65d7c7b8fba5286b69bd0be55473c8ce5b45ed3477436885c00830015cc9ed5
                                                                                              • Instruction Fuzzy Hash: A4E0DF35B01310CFC3288A24E5086667BA6FBC9231B20853EE40A83724CA32D803CF20
                                                                                              Function 0613AA9B Relevance: .0, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2161a3a93e6a85b10123a8bf2c481dcef64ef62f5e68e8dd5a54686cbca8d7ab
                                                                                              • Instruction ID: 4e9b8ece0394be11c77af008253ea523010f52590d67528a2e4e7f29ae97c9e0
                                                                                              • Opcode Fuzzy Hash: 2161a3a93e6a85b10123a8bf2c481dcef64ef62f5e68e8dd5a54686cbca8d7ab
                                                                                              • Instruction Fuzzy Hash: 05E092367182508FC7078F28A9A54AD7FABDBCA2223188167F501C7296CE745817E761
                                                                                              Function 0613AB98 Relevance: .0, Instructions: 24COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 42e85f17d5f6070e91d657c7b8598bebfa5768458620d09e89200af926cf1440
                                                                                              • Instruction ID: 03fd0b85eef6515686831033e353a89984ca41b8ce655821f5d8794b16b4dc60
                                                                                              • Opcode Fuzzy Hash: 42e85f17d5f6070e91d657c7b8598bebfa5768458620d09e89200af926cf1440
                                                                                              • Instruction Fuzzy Hash: F8E026327002388BEF145924E0007FABB9E8F40692F04C022E4478B240CB3A9800C7D0
                                                                                              Function 0613DD31 Relevance: .0, Instructions: 19COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f3f39a5deabf769b368c487c37fbdc80103b575074153356bd4ba256fa7804cb
                                                                                              • Instruction ID: 53897342b557e9894ced9b348465ec1570417e17f0bc6d630155de907312bceb
                                                                                              • Opcode Fuzzy Hash: f3f39a5deabf769b368c487c37fbdc80103b575074153356bd4ba256fa7804cb
                                                                                              • Instruction Fuzzy Hash: FDD0A7773001248BC304D65CD400B9A37D8CB59718F0500A5E51CC7362CED5ED014BA9
                                                                                              Function 01621540 Relevance: .0, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 52722fe588341603f1088a3f01698a06147b553448e759e03410b0c3d34bb818
                                                                                              • Instruction ID: 44ddcfeae3b32b5237c7624ae949462169b08de3c8da8635abe170d5d0400dd8
                                                                                              • Opcode Fuzzy Hash: 52722fe588341603f1088a3f01698a06147b553448e759e03410b0c3d34bb818
                                                                                              • Instruction Fuzzy Hash: 0FD0973030A3808FD7061224F8018F83FAECF92010B0880F2C448CF2BBC904AC0687AB
                                                                                              Function 0613D800 Relevance: .0, Instructions: 18COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: c3cec28e8f710496824689adb6e8cf3502b5a6d5639a4b78baa889b3b280b892
                                                                                              • Instruction ID: aa5ada27c9d36b87cb4c96e14d50b8177401bcb863ac69b3a72eda0746642f20
                                                                                              • Opcode Fuzzy Hash: c3cec28e8f710496824689adb6e8cf3502b5a6d5639a4b78baa889b3b280b892
                                                                                              • Instruction Fuzzy Hash: 89D0A73270011417870422AE740885EBADFDAC5120308403FE20DC7314DD64DC0143F5
                                                                                              Function 057A7695 Relevance: .0, Instructions: 17COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a55f935ede3b0fe1e0448dfb14fbc6e43a2c8e0da172f7475d32ef17af9ac6f9
                                                                                              • Instruction ID: b35395c735c1ae72fb9375d237a2707a45b5b20802882d48ca70005b9d0b3b86
                                                                                              • Opcode Fuzzy Hash: a55f935ede3b0fe1e0448dfb14fbc6e43a2c8e0da172f7475d32ef17af9ac6f9
                                                                                              • Instruction Fuzzy Hash: 8DD02B35B0D3C45FCB03D768E8204747F70DE43005B560BC6D0488B443E1151D26E361
                                                                                              Function 016218E7 Relevance: .0, Instructions: 17COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: e7dd6e06a12b7b86db5c6f4da5b6108dab7a8d2a04b1df9bb42aa54752578396
                                                                                              • Instruction ID: 0a0a333a407d721b2be9f5d9ef414c4e28fec3f02c61240f1f673e4a65062820
                                                                                              • Opcode Fuzzy Hash: e7dd6e06a12b7b86db5c6f4da5b6108dab7a8d2a04b1df9bb42aa54752578396
                                                                                              • Instruction Fuzzy Hash: 8DD01270A02209EFCB00DFA9E9025EDBBF5EB84201B104599D508E7650EB312E409BA5
                                                                                              Function 0613D773 Relevance: .0, Instructions: 17COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: df223ea6659a6940f53bbf31c5c248948d8dbdc0b49cd4679e2899a4cff27a16
                                                                                              • Instruction ID: 2eda582f4c00ee91580eb230c14d77c2c7504c3676bbe95a90edb12a4002e6b3
                                                                                              • Opcode Fuzzy Hash: df223ea6659a6940f53bbf31c5c248948d8dbdc0b49cd4679e2899a4cff27a16
                                                                                              • Instruction Fuzzy Hash: ADE0EC72E062288FDB24DF68ED446DCBBF1EB84221F1006EAD11997292D7308A918F52
                                                                                              Function 057A76F0 Relevance: .0, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: dc7435621e49ab1874356428a621d977b798d9548925beb72ad93b4869e1ec2f
                                                                                              • Instruction ID: 93d28df97792f065c6defd3d1b73a97d6a0ec8e042bea550c77c2cb3ca747a75
                                                                                              • Opcode Fuzzy Hash: dc7435621e49ab1874356428a621d977b798d9548925beb72ad93b4869e1ec2f
                                                                                              • Instruction Fuzzy Hash: 74D01771A1120CEF8B00EFA9E94195DBBFAEB46205B9045A9E508D7200EA312E10ABA0
                                                                                              Function 057A7028 Relevance: .0, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5fc93339577f06107d19722a3a7f517fe23c4913f76ccd7424207d474d1c7128
                                                                                              • Instruction ID: 5899ecc2107c5839af5461ed141812119400daaf91c4210dd3b3178c469d3340
                                                                                              • Opcode Fuzzy Hash: 5fc93339577f06107d19722a3a7f517fe23c4913f76ccd7424207d474d1c7128
                                                                                              • Instruction Fuzzy Hash: BDD01270A00209EF8F00DFA8E94155D77F9EB45201B5045AD9508D7200DA311E1097A1
                                                                                              Function 057AA090 Relevance: .0, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 5170688eafc0e6156bc5d1849183aa3de8450c080c90039cc9a9274b68cc2909
                                                                                              • Instruction ID: ee687e9be3f196d6b723a7b3ad25b4be569097bdeaa7a8c8d029b1186691236b
                                                                                              • Opcode Fuzzy Hash: 5170688eafc0e6156bc5d1849183aa3de8450c080c90039cc9a9274b68cc2909
                                                                                              • Instruction Fuzzy Hash: A3D0A731300125ABDA04AB50E415BE97BA8EB82168F148056E50CCB662DB339C43CBC6
                                                                                              Function 057ABF20 Relevance: .0, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a4f02073cdd63cd763b041854a23994cd2c9d533fbc81df0762542cdeb430fc5
                                                                                              • Instruction ID: b3b562cd37d96514fd4a59ac8ef0aa7aeb76997295dd990d4dc7553b4e337db7
                                                                                              • Opcode Fuzzy Hash: a4f02073cdd63cd763b041854a23994cd2c9d533fbc81df0762542cdeb430fc5
                                                                                              • Instruction Fuzzy Hash: F5D05B71A1120DEFCB40DFB8E94155DB7F6EB44211B1049ADD908D7340EA315F00DB61
                                                                                              Function 057A2E40 Relevance: .0, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 70db24e89e0249419de5ec7018adf9d0960df8fc99dac3934847500bbf181139
                                                                                              • Instruction ID: 74e1a1362f9ff6e8c56b1d2d6365f2678823c6d00f6e6babd03272c7427a18a3
                                                                                              • Opcode Fuzzy Hash: 70db24e89e0249419de5ec7018adf9d0960df8fc99dac3934847500bbf181139
                                                                                              • Instruction Fuzzy Hash: D5D05E3AA145048FC709EB0DF856749BBE6F3D9211F10D14DE0158F294CF3C5C029B99
                                                                                              Function 057A18D0 Relevance: .0, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 7f427a4f73f00be4ed29cdb6498dea6cd6191965911e240b085e1648e599f536
                                                                                              • Instruction ID: 9e7aad427739440589fc0010afe489be54c942721e0be43de59c190dbc1b72ad
                                                                                              • Opcode Fuzzy Hash: 7f427a4f73f00be4ed29cdb6498dea6cd6191965911e240b085e1648e599f536
                                                                                              • Instruction Fuzzy Hash: 93D05B70A0111DEFCB00DFA8F94555DB7F5EF45221B1045ADD508D7300EA311F00DB90
                                                                                              Function 016218E8 Relevance: .0, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: a65a3f283e29167a1dd8a34497f69ef682eb2b3c9c6735fd3f2b2b6ddbecbf4e
                                                                                              • Instruction ID: 249ba534c0a7ffa0ecd8dd8909e144d92aa927e2ace558cac053a4153af5d322
                                                                                              • Opcode Fuzzy Hash: a65a3f283e29167a1dd8a34497f69ef682eb2b3c9c6735fd3f2b2b6ddbecbf4e
                                                                                              • Instruction Fuzzy Hash: 31D01270A02209EFCB00DFA9E90159DB7F5EB84201B1045999508E7250EB312E409BA4
                                                                                              Function 0613F45F Relevance: .0, Instructions: 16COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4736f899768017ff99245625ac8f230470f67e504b0d750245db7b76fc94acb6
                                                                                              • Instruction ID: 3af90339b0245509b5009aa51d3f391f7acdfa225ef097a2e55d5328e9fb4814
                                                                                              • Opcode Fuzzy Hash: 4736f899768017ff99245625ac8f230470f67e504b0d750245db7b76fc94acb6
                                                                                              • Instruction Fuzzy Hash: 4CD0A772F042194FDF148EACA8001DCF7A0EBC513430142A7C466A7252C7308516C772
                                                                                              Function 057A3290 Relevance: .0, Instructions: 15COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 2b5424dfb9fe5458de4cc04e64fb5d7db6bdde263708f2136f94a1397bef3ec2
                                                                                              • Instruction ID: 87e03e99f6adee77d089a694feb8a907320f70ec130d4432c5b45d0a37da9182
                                                                                              • Opcode Fuzzy Hash: 2b5424dfb9fe5458de4cc04e64fb5d7db6bdde263708f2136f94a1397bef3ec2
                                                                                              • Instruction Fuzzy Hash: 31D017717212048BC309EB09F985B8A7B9AE784610F108549E0048B395CB285D439BF6
                                                                                              Function 06131BA2 Relevance: .0, Instructions: 15COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0a41d26c2647f2d8cdbc5772079582543d2c2ef340a3e8c2e470c2c3f1ac7a65
                                                                                              • Instruction ID: 2b21e4097b2cb328b04f68f2bb546c36057f0f78ecce073f400f0bd28e292d3f
                                                                                              • Opcode Fuzzy Hash: 0a41d26c2647f2d8cdbc5772079582543d2c2ef340a3e8c2e470c2c3f1ac7a65
                                                                                              • Instruction Fuzzy Hash: 43D05E3000A3A94FCB1BEB28F850A853FE5AF42222F05499AE085CB566CB685A44C7A1
                                                                                              Function 01625BD0 Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f1c3c6f3e65a7aa89e028821f37458a22875d24a41b23d1ce394abc0c963c753
                                                                                              • Instruction ID: f1a8f9c4d2bcfdfc561cff15ce83f1e9e20c66dfc182e0e3eee015f094571bae
                                                                                              • Opcode Fuzzy Hash: f1c3c6f3e65a7aa89e028821f37458a22875d24a41b23d1ce394abc0c963c753
                                                                                              • Instruction Fuzzy Hash: 2BD0C936210118AF8B44DE89D840C95BBA9FF4D6607158096FA188B332C672EC11DB90
                                                                                              Function 0613F483 Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 89f72129625d783a583a91715194beafd98ef1f2a32b1e6a5cde64a1512a3cc3
                                                                                              • Instruction ID: 2d5c87e261b15bb41976e4133a1f6ee2f12ae54615628c20fa5ee8786bf49763
                                                                                              • Opcode Fuzzy Hash: 89f72129625d783a583a91715194beafd98ef1f2a32b1e6a5cde64a1512a3cc3
                                                                                              • Instruction Fuzzy Hash: 95D0A932B012049FCB14CEA8E8004CCF770EE82134B5143A3D8A1B76A2C3308A01CBA0
                                                                                              Function 0613DD40 Relevance: .0, Instructions: 14COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: f5dc2f83b145bb897e480c55aa9b683f86912272215574c1e4eabdb3f9bb789b
                                                                                              • Instruction ID: 50a6e8ca40095b74a472212410a5ca033bfe88a13726b2acff13eec603b05fa2
                                                                                              • Opcode Fuzzy Hash: f5dc2f83b145bb897e480c55aa9b683f86912272215574c1e4eabdb3f9bb789b
                                                                                              • Instruction Fuzzy Hash: 8CC012313001244BC708965CE414D6937DD9B89729B0100A6E509CB361CD92EC4147D9
                                                                                              Function 057A3779 Relevance: .0, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 6a9e779b6be6189e66497f4192bf19391eb16d62370655c5cc85f2fc99677dbe
                                                                                              • Instruction ID: 22fcab8a4a2dfa1e0b9ae3bacfb6806171f27ccfa3c92a9a587b294c51ba841b
                                                                                              • Opcode Fuzzy Hash: 6a9e779b6be6189e66497f4192bf19391eb16d62370655c5cc85f2fc99677dbe
                                                                                              • Instruction Fuzzy Hash: 6DD012ABA005449BDA559E10C4D87952D537BE0614FA8DB9CC22849348D62AC443D751
                                                                                              Function 057AA0A0 Relevance: .0, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 4527f24c2bf1387c217809c7b4212112cb121f88ffa13da77257f50244961042
                                                                                              • Instruction ID: 866dc2150900759ab312f5b7fcc8540622c9045021a8c76e73142e5d2cfd9a32
                                                                                              • Opcode Fuzzy Hash: 4527f24c2bf1387c217809c7b4212112cb121f88ffa13da77257f50244961042
                                                                                              • Instruction Fuzzy Hash: 5BC0803130011CA7D6005654D41056EB79DDB85564B14C055E60DCB341DF73AC43C7C5
                                                                                              Function 057A3907 Relevance: .0, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: fc4d946a390a995904ca25cf9e3c5234b14a7afcb7210112ae86ced4dab4554b
                                                                                              • Instruction ID: 94d61777f8fe0decaf5f74763ff660bc59ca6c0b624e5e4d1533d79a3c783c70
                                                                                              • Opcode Fuzzy Hash: fc4d946a390a995904ca25cf9e3c5234b14a7afcb7210112ae86ced4dab4554b
                                                                                              • Instruction Fuzzy Hash: 15D0923AB101089F9F40DF94E4458DDFBB1FB88331F10C126E9199B214C6319A2A9F90
                                                                                              Function 0613C2B2 Relevance: .0, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 03f86102e3efb4acdf1fdbde77050fe27297a5182e4b5b314e08649ff17a1513
                                                                                              • Instruction ID: a201d27ace120bea94237a9162a28d23178794a5eaa7ebcec456c4181b93cc1a
                                                                                              • Opcode Fuzzy Hash: 03f86102e3efb4acdf1fdbde77050fe27297a5182e4b5b314e08649ff17a1513
                                                                                              • Instruction Fuzzy Hash: 30D0A73164415A47DB61CBF8DA093493FE8AB16138F1803C9DC38CB2D2D7269911C281
                                                                                              Function 06139B30 Relevance: .0, Instructions: 13COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: b7e677d9d1c90a6901c9e694d1bc13520ef28f34745aa3dca5a03f5b281c6978
                                                                                              • Instruction ID: 65e6f9a0ac36bfb64b12286e0ac21db87401000c973b6dfade1fa7d46a45ef2b
                                                                                              • Opcode Fuzzy Hash: b7e677d9d1c90a6901c9e694d1bc13520ef28f34745aa3dca5a03f5b281c6978
                                                                                              • Instruction Fuzzy Hash: B7D0A7B060A1C04FCF429724B8694853F259E433053044080E0419F153C5282813E729
                                                                                              Function 057A3B68 Relevance: .0, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3b91b10dac4f7a1f8196ee033bc71e4de80c82959c0ac8db1ef1307506d2d427
                                                                                              • Instruction ID: 3ecb414f4c98e1eb789f38706340e3340c002be5c747b24791c2882ca413e282
                                                                                              • Opcode Fuzzy Hash: 3b91b10dac4f7a1f8196ee033bc71e4de80c82959c0ac8db1ef1307506d2d427
                                                                                              • Instruction Fuzzy Hash: 0ED0C9756101454BDE55DB19F499E893796E380355F109604E0028B315C23CA803BA24
                                                                                              Function 0162B19F Relevance: .0, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d2adfe9c8f0a8511daa2d03205f5a84babdf39f418bc9fa1e06b8159fcfa4c8b
                                                                                              • Instruction ID: 2cf4cb98707633f1a6fabbcb4b90f8811904f6f3bb0103f1ff9ae08fe8f11841
                                                                                              • Opcode Fuzzy Hash: d2adfe9c8f0a8511daa2d03205f5a84babdf39f418bc9fa1e06b8159fcfa4c8b
                                                                                              • Instruction Fuzzy Hash: 2AC08C727180084B8650CA64A809D22F794C76022270082A6EC08C7300EA32C430DAC0
                                                                                              Function 0162D520 Relevance: .0, Instructions: 12COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 88f5b7e984ca4ed9b4de18d9979e87224ba45bffdfefcce8e4b8e39131374c64
                                                                                              • Instruction ID: 66c7fca16405759f9f69f279e76cae96dd95a5ca99b3b9e0dfb3d3ab94ccab1b
                                                                                              • Opcode Fuzzy Hash: 88f5b7e984ca4ed9b4de18d9979e87224ba45bffdfefcce8e4b8e39131374c64
                                                                                              • Instruction Fuzzy Hash: 1DD0129804A3D00ED70A56388C1799A6F365F83105F0558A693819B492C8284429C376
                                                                                              Function 057A2B40 Relevance: .0, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8e73ada5630a615b5c3f0b9f4405b4a5f5c3fc6ee935a354e4c26c604407efac
                                                                                              • Instruction ID: f53dde1344ac1842f10e8473a8bb6eb7d985672c75a2e3b8cc516e866b123d9c
                                                                                              • Opcode Fuzzy Hash: 8e73ada5630a615b5c3f0b9f4405b4a5f5c3fc6ee935a354e4c26c604407efac
                                                                                              • Instruction Fuzzy Hash: D2D01232190615CFD30ACF18E682E08FBB8FB4C620F1020C5E2188F2B2C725E9028A42
                                                                                              Function 0162D9CA Relevance: .0, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8d9afcb1274c3904e9cde73f97a7d4e2e10eda152b01d59700e5b9df9d7b1677
                                                                                              • Instruction ID: ea842c3e955c00fb2c9dd40319fd6b798171364bf0f4aa4f208f4ef9fc828d15
                                                                                              • Opcode Fuzzy Hash: 8d9afcb1274c3904e9cde73f97a7d4e2e10eda152b01d59700e5b9df9d7b1677
                                                                                              • Instruction Fuzzy Hash: D1D00236B4001D9BCF01DEC4D851EDDBBB1EB98365F145055D60477150C6315966DFE0
                                                                                              Function 01621550 Relevance: .0, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 847e0cdb94a3b8b2f606be5e7b8c3b264ca3b334d1aa5675603e1535a6d98b2c
                                                                                              • Instruction ID: 7dc01e23e2674c379852e8ff2527d69488eedfb78191747d5f5af2bd77c88b86
                                                                                              • Opcode Fuzzy Hash: 847e0cdb94a3b8b2f606be5e7b8c3b264ca3b334d1aa5675603e1535a6d98b2c
                                                                                              • Instruction Fuzzy Hash: 73C08C303002089FDB04665AF80083A739FDBC4600B108070980E4B368DE25AC121A92
                                                                                              Function 01626E78 Relevance: .0, Instructions: 11COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8890afa0e994f74a63a8f428114bd1bdd570bf2f2c3a53fd6f9f2fa2546818d1
                                                                                              • Instruction ID: cf65f0ccb413ceefe6a4df9d7f716748ae9fabc21477e5b8499e71637f6a8325
                                                                                              • Opcode Fuzzy Hash: 8890afa0e994f74a63a8f428114bd1bdd570bf2f2c3a53fd6f9f2fa2546818d1
                                                                                              • Instruction Fuzzy Hash: BDD0927820A2808FC706DB14CE94800FBB1BF9531575EC2C998488F362C625EC46CB40
                                                                                              Function 057A34A0 Relevance: .0, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 3815598d0a3c3e11d17f6a03105d942fba492fdd86018a11e38fe374522762ef
                                                                                              • Instruction ID: af6a423b177394740b559dffb812befaae3e4c38a9c29870226c8f1b059f21d9
                                                                                              • Opcode Fuzzy Hash: 3815598d0a3c3e11d17f6a03105d942fba492fdd86018a11e38fe374522762ef
                                                                                              • Instruction Fuzzy Hash: E3C08C3292220287DE00EA29E40E7843F94E302388F418104F240EB304C728F1038A15
                                                                                              Function 0162B159 Relevance: .0, Instructions: 10COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 172abac141f5bcee81a1e6c4a283981ffdbd7bb275329c4460ad52473af9b8ba
                                                                                              • Instruction ID: 30cde9094c903dd97d14e74a89c4777163610f2d691dcd8033f7c356c6605021
                                                                                              • Opcode Fuzzy Hash: 172abac141f5bcee81a1e6c4a283981ffdbd7bb275329c4460ad52473af9b8ba
                                                                                              • Instruction Fuzzy Hash: EAD012111097C14BE3068B36C80531A7FF59F52604B09C4EA93D5C9193DA2494688735
                                                                                              Function 0613D7D0 Relevance: .0, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8c38e728e47d4ebf911e5eeefd01f0c5f879e84365cbe56691e0aad4e30c3425
                                                                                              • Instruction ID: 8aae6907e0d157f8af0534b42035e8d62648f5ab613f0683c4e7a0864cb77cdf
                                                                                              • Opcode Fuzzy Hash: 8c38e728e47d4ebf911e5eeefd01f0c5f879e84365cbe56691e0aad4e30c3425
                                                                                              • Instruction Fuzzy Hash: 01B0921A4006208FEA288B70F98B340A7BAE388289FCCC2578810C6265D60C9C0A8014
                                                                                              Function 0613AC90 Relevance: .0, Instructions: 9COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: d2a9738071915f773509a6a5fc3871bf2c6a5cf49328453f563776c0bb3df357
                                                                                              • Instruction ID: 4762103f6af4ead2bfb488b59aa60e5e5f1da4baf392cb44320a87456ca0d394
                                                                                              • Opcode Fuzzy Hash: d2a9738071915f773509a6a5fc3871bf2c6a5cf49328453f563776c0bb3df357
                                                                                              • Instruction Fuzzy Hash: DDC012308111018BDB098B20C146740BB21EB8132AF60A06CD0024A660CB36C002EE01
                                                                                              Function 0613F4A9 Relevance: .0, Instructions: 8COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 0b324b76c31db3e5896f74e2e449e24f5486be896ce189a5ad799cdeeeb873e3
                                                                                              • Instruction ID: 20317727413a2bb2bd0559b0ddd624a32d2cbb7e5a4ad388df1ff35f0dd9f4c9
                                                                                              • Opcode Fuzzy Hash: 0b324b76c31db3e5896f74e2e449e24f5486be896ce189a5ad799cdeeeb873e3
                                                                                              • Instruction Fuzzy Hash: 8CB09236E040288DEF008A84B4413ECF760E780239F100063C21952400833101694AC1
                                                                                              Function 057A2B50 Relevance: .0, Instructions: 7COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3108103320.00000000057A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 057A0000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_57a0000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 406dac5c139cdb57122e67df7a8140eb07c55dea271d7c8adc793fd4354e830c
                                                                                              • Instruction ID: b6a7e1941b05a5c068b030d6def5ecb392f4329ff73610c73c6f0e5c76012305
                                                                                              • Opcode Fuzzy Hash: 406dac5c139cdb57122e67df7a8140eb07c55dea271d7c8adc793fd4354e830c
                                                                                              • Instruction Fuzzy Hash: 95B092311402088F8200DB58D444C0073A8AB08A1430100D0E1088B232C621FC008A40
                                                                                              Function 0613DD10 Relevance: .0, Instructions: 7COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 8a004630ff5940e8e828d5a2c1132ffbe17781e544947664bd562db5a5b5b51b
                                                                                              • Instruction ID: 4d6254b7e2dabbd341e57b5516cd83d2cbb4b25f6fa57b8c7896d57291a1cd73
                                                                                              • Opcode Fuzzy Hash: 8a004630ff5940e8e828d5a2c1132ffbe17781e544947664bd562db5a5b5b51b
                                                                                              • Instruction Fuzzy Hash: 0DB092B402025286EE68EB74A108308BBA8FB81209FA0295B94006E224C72AD106DA40
                                                                                              Function 0162838F Relevance: .0, Instructions: 5COMMON
                                                                                              Download Yara Rule
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID:
                                                                                              • API String ID:
                                                                                              • Opcode ID: 71b78a9c979344ae461415c241645453f57a78a9334e67cd69c12129db36b4e2
                                                                                              • Instruction ID: 98e39685c609108c7b9a0a90e367f5a16775be71ad26558c066129127bcf7216
                                                                                              • Opcode Fuzzy Hash: 71b78a9c979344ae461415c241645453f57a78a9334e67cd69c12129db36b4e2
                                                                                              • Instruction Fuzzy Hash: 72A0027914151266D93137209D07BE4FE137B50700FD58695E105188A18A559491999D

                                                                                              Non-executed Functions

                                                                                              Function 06139B68 Relevance: 5.3, Strings: 4, Instructions: 275COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: fcq$ fcq$ fcq$ fcq
                                                                                              • API String ID: 0-1559828558
                                                                                              • Opcode ID: 1b11b99a2bde6a3813600df9ff0afec6c815ed6d2b9e4479ff709f0bd0244dab
                                                                                              • Instruction ID: 077b83f75d64dc70cd6c99afe944ced0b1ccb5cd5b1dc2260d3ee3d1f0c4a8b5
                                                                                              • Opcode Fuzzy Hash: 1b11b99a2bde6a3813600df9ff0afec6c815ed6d2b9e4479ff709f0bd0244dab
                                                                                              • Instruction Fuzzy Hash: ECA13930600B158FE368EF36C45072AB6E3BFD0395F548D2EC1874A694EFB5A886CB55
                                                                                              Function 06139B58 Relevance: 5.2, Strings: 4, Instructions: 227COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3109675391.0000000006130000.00000040.00000800.00020000.00000000.sdmp, Offset: 06130000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_6130000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: fcq$ fcq$ fcq$ fcq
                                                                                              • API String ID: 0-1559828558
                                                                                              • Opcode ID: cd24f0a6ebc6908972f5f548161d57ca2259900f3e7a0593e93d60e83dd7622c
                                                                                              • Instruction ID: 6c836f086cce5e2f41a8d2ea7938b21826317dd611a7eb841b77b32e21823bef
                                                                                              • Opcode Fuzzy Hash: cd24f0a6ebc6908972f5f548161d57ca2259900f3e7a0593e93d60e83dd7622c
                                                                                              • Instruction Fuzzy Hash: 28816E30600B208FE768DF36885072AB6D3BFD0395F44CD2EC5874B694EFB5A9868B55
                                                                                              Function 0162B970 Relevance: 6.7, Strings: 5, Instructions: 432COMMON
                                                                                              Download Yara Rule
                                                                                              Strings
                                                                                              Memory Dump Source
                                                                                              • Source File: 00000005.00000002.3088970383.0000000001620000.00000040.00000800.00020000.00000000.sdmp, Offset: 01620000, based on PE: false
                                                                                              Joe Sandbox IDA Plugin
                                                                                              • Snapshot File: hcaresult_5_2_1620000_Update.jbxd
                                                                                              Similarity
                                                                                              • API ID:
                                                                                              • String ID: (_^q$(_^q$(bq$Hbq$Hbq
                                                                                              • API String ID: 0-2667103384
                                                                                              • Opcode ID: a188a7dd743f18ee94555bf38821643f1ad3047ed8e98f6d32bd1ec9e75462b9
                                                                                              • Instruction ID: 6abcb15e0539b5e8fa77f256bbb0eaf1e5631fdd182d8ebab6588866fd0da9de
                                                                                              • Opcode Fuzzy Hash: a188a7dd743f18ee94555bf38821643f1ad3047ed8e98f6d32bd1ec9e75462b9
                                                                                              • Instruction Fuzzy Hash: CEF1E035A006258FCB14DF6CC89069EBBB2FF89301B258569C949AB385DF34ED46CB91