ef973a48da0e0db845aa05686c88dccde5b7f96fc6cbb6e5e6e5b69fafca8c39

Analysis

max time kernel
134s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
Size

6.2MB
MD5

f0d21333b5e3ad75b259b332b2c1ebee
SHA1

f0906a181625ac4c2e778ccba199569ab26daddc
SHA256

ef973a48da0e0db845aa05686c88dccde5b7f96fc6cbb6e5e6e5b69fafca8c39
SHA512

ab7a60fb53b1815863136c92288517340a54aa0ed03554fb944f3bc11942bc938f027437ca79290bb049cb739b5fe2b0542bdbd8d8b168d56e20e8b4ea956c48
SSDEEP

98304:3agWvNIQMcn3jLtqCv+cCFphdrR81lMNDTKj9+b/j95I8jWwY2hp:3a3tMo3vtEFpXrR81lMNDTKjKItWp

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\International\Geo\Nation	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Control Panel\International\Geo\Nation	OfficeC2RClient.exe

Executes dropped EXE 4 IoCs

pid	Process
2712	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1216	Process not Found
2028	OfficeC2RClient.exe

Loads dropped DLL 64 IoCs

pid	Process
1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
1216	Process not Found
2028	OfficeC2RClient.exe
2028	OfficeC2RClient.exe
2028	OfficeC2RClient.exe
2028	OfficeC2RClient.exe
2028	OfficeC2RClient.exe
2028	OfficeC2RClient.exe
2028	OfficeC2RClient.exe
2028	OfficeC2RClient.exe
2028	OfficeC2RClient.exe
2028	OfficeC2RClient.exe
2028	OfficeC2RClient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OfficeClickToRun.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-journal	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	OfficeClickToRun.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\FrequentOfficeUpdateSchedule.xml	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-core-file-l1-2-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-core-xstate-l2-1-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.he-il.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.hu-hu.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.lt-lt.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.ro-ro.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.sv-se.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-crt-utility-l1-1-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\AppVIsvVirtualization.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\RepoMan.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-core-localization-l1-2-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.en-us.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.es-es.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\i640.hash	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\msvcp120.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\AppVClientIsv.man	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\AppvIsvSubsystems64.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.zh-tw.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-core-file-l2-1-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.ru-ru.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\OfficeC2RClient.exe	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-crt-private-l1-1-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.lv-lv.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.tr-tr.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\concrt140.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-crt-math-l1-1-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.sk-sk.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\cpprestsdk.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-crt-string-l1-1-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.hi-in.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\MavInject32.exe	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\StreamServer.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\vccorlib140.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-crt-process-l1-1-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\AppVIsvApi.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\AppvIsvSubsystems32.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.hr-hr.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.de-de.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\vcruntime140.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-crt-heap-l1-1-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.pl-pl.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.ar-sa.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\AppVOrchestration.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.fr-fr.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.it-it.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\ClientEventLogMessages.man	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\AppVShNotify.exe	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2R64.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.ko-kr.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-core-timezone-l1-1-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-crt-conio-l1-1-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\AppVFileSystemMetadata.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\SharedPerformance.man	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-crt-stdio-l1-1-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\AppVIntegration.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\AppVManifest.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\C2RINTL.vi-vn.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\OfficeC2RCom.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\msix.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\ServiceWatcherSchedule.xml	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-core-synch-l1-2-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRunOfficeC2RC8BCEA87-23EE-4728-93D1-358EF93A5938\api-ms-win-crt-convert-l1-1-0.dll	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\HelpLanguageTag = "en-US"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-d6-63-62-f4-79\WpadDecisionReason = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\UID = 8d6faa65ae1c7b4bb7d3bc13a74fd631	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362D691B-139F-4ABA-928F-EDC38A13BF0B}\WpadDecisionReason = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362D691B-139F-4ABA-928F-EDC38A13BF0B}\WpadNetworkName = "Network 3"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f005c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\SharePointDesignerChangeInstallLanguage = "No"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362D691B-139F-4ABA-928F-EDC38A13BF0B}\WpadDecision = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{362D691B-139F-4ABA-928F-EDC38A13BF0B}\WpadDecisionTime = 609f23bbbf76da01	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared\OfficeUILanguage = "1033"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry\RulesLastAudienceReported	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c6-d6-63-62-f4-79\WpadDecision = "0"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\AccessChangeInstallLanguage = "No"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\WebDesignerChangeInstallLanguage = "No"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\XLChangeInstallLanguage = "No"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\UIFallbackLanguages = "x-none"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\PublisherChangeInstallLanguage = "No"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\LangTuneUp = "OfficeCompleted"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2600	powershell.exe
2352	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2028	OfficeC2RClient.exe
2712	OfficeClickToRun.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe
2712	OfficeClickToRun.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
2712	OfficeClickToRun.exe
1796	OfficeClickToRun.exe
2028	OfficeC2RClient.exe
2028	OfficeC2RClient.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 2600	1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe	28
PID 1504 wrote to memory of 2600	1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe	28
PID 1504 wrote to memory of 2600	1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe	28
PID 1504 wrote to memory of 2600	1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe	28
PID 1504 wrote to memory of 2352	1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe	31
PID 1504 wrote to memory of 2352	1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe	31
PID 1504 wrote to memory of 2352	1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe	31
PID 1504 wrote to memory of 2352	1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe	31
PID 1504 wrote to memory of 2712	1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe	35
PID 1504 wrote to memory of 2712	1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe	35
PID 1504 wrote to memory of 2712	1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe	35
PID 1504 wrote to memory of 2712	1504	2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe	35

C:\Users\Admin\AppData\Local\Temp\2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-15_f0d21333b5e3ad75b259b332b2c1ebee_magniber.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2600
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
  OfficeClickToRun.exe platform=x86 culture=en-us productstoadd=O365ProPlusRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/sg/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.12527.22286 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=groove bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2712

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:1796

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\lync.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\teams.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{FB9843BB-0D8A-4347-A227-C759C3FC9103}@INSTALL"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll

Filesize
232KB

MD5
0dd3725758d8009356a1038a9c958bc4

SHA1
46b8d628a76bed0a3b4c16cce0208c20a2151db2

SHA256
85ab73bd6dbade74341a35890b2d1ef1c5aeddb70d84931250683ae569b7980b

SHA512
8e737aec7c27e0bf495f823c2e45ea49f5f51d22662e33b03a4ad998fb4e8030bd92d093adb8c1d5d082f00c93794ac1283bb9fe69ad5c32e7eb8fc8ca57cd6d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll

Filesize
3.1MB

MD5
685539cd3f1a5111c4beba1bc5f17d0a

SHA1
e112f7071f63903cf35a59f121ca54065689db9f

SHA256
6710e30c16b837650d63667e86c3a2ebcde05e0b03ecff1786c376b97909aa28

SHA512
3334d91793f7e1367e0e600bd5c0d5e7317706f85f0b65ad57a7f23ab4281ebc88412bbbd7fdd8dc2dfcd738a9e6271c2719119710e17ecd4e33dc03fbc90c0f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\MSVCP140.dll

Filesize
613KB

MD5
c1b066f9e3e2f3a6785161a8c7e0346a

SHA1
8b3b943e79c40bc81fdac1e038a276d034bbe812

SHA256
99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd

SHA512
36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

Filesize
2.3MB

MD5
9cb124f1645517b27beebbd4cda60ea1

SHA1
e7967aff39de45d4a016180a14e124e584d436a5

SHA256
50545dddee0e25c438b2084260e7ee9a0bb8d06ee030cddb51206edf39afcecf

SHA512
0c743ba254c3dc9cdf3153f0208e43f6860722b6c4a6e24bede4bc84259bf9db26ba78e7f7af211ef084822d082b444c40ee314791b37e156b1332965f09065b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

Filesize
10.6MB

MD5
389e63892ee7ae690622b75947b91914

SHA1
ef70d48984610426c8ff144a84e0510c8d64409c

SHA256
f7f7c97acb6b67453077795331662713c39320fcab1ecc49807440b25e14ae84

SHA512
facac49a776f47ae2f2a5c975c10eede61dfe1010a01e779cca7a5a96fb8f363a0d1eca03417d9993c25c13a75df697d9571e6e94bdcda7ab998c6ab890e774f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
19df2b0f78dc3d8c470e836bae85e1ff

SHA1
03f2b5b848a51ee52980bf8595c559b89865de07

SHA256
bd9e07bbc62ce82dbc30c23069a17fbfa17f1c26a9c19e50fe754d494e6cd0b1

SHA512
c1c2b97f484e640bfdda17f7ed604d0583c3d4eaf21abf35491ccedc37fa4866480b59a692776687e5fda3eaeafb4c7bdb34dec91f996fd377a328a89c8d5724

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
adb3471f89e47cd93b6854d629906809

SHA1
2cfc0c379fd7f23db64d15bdff2925778ff65188

SHA256
355633a84db0816ab6a340a086fb41c65854c313bd08d427a17389c42a1e5b69

SHA512
f53e11aa35911d226b676d454e873d0e84c189dd1caea8a0fe54d738933cd6b139eca48630f37f5979ef898950d99f3277cba6c7a697103f505d876bea62818c

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
6b4f2ca3efceb2c21e93f92cdc150a9d

SHA1
2532af7a64ef4b5154752f61290dcf9ebeea290f

SHA256
b39a515b9e48fc6589703d45e14dcea2273a02d7fa6f2e1d17985c0228d32564

SHA512
63a42dd1cb95fd38ddde562108c78e39cb5d7c9406bf749339e717c2cd866f26268d49b6bd966b338de1c557a426a01a24c2480f64762fef587bc09d44ada53b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
18KB

MD5
247061d7c5542286aeddade76897f404

SHA1
7285f85440b6eff8731943b73502f58ae40e95a2

SHA256
ccb974c24ddfa7446278ca55fc8b236d0605d2caaf273db8390d1813fc70cd5b

SHA512
23ef467f6bb336d3e8c38000d30a92dac68e2662891863475ff18dbddbbbce909c12d241b86dbdea085e7d19c82cd20d80a60ffb2845f6afebedf06507afe5bc

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll

Filesize
18KB

MD5
b9bc664a451424342a73a8b12918f88d

SHA1
c65599def1e69aed55ea557847d78bb3717d1d62

SHA256
0c5c4dfea72595fb7ae410f8fa8da983b53a83ce81aea144fa20cab613e641b7

SHA512
fe3f393fd61d35b368e42c3333656298a8243ba91b8242ee356950f8925317bf32ce4f37670b16a5a5ab5091903e61ae9c49c03fdc5f93193f215a58d80b9311

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
bdd63ea2508c27b43e6d52b10da16915

SHA1
2a379a1ac406f70002f200e1af4fed95b62e7cb8

SHA256
7d4252ab1b79c5801b58a08ce16efd3b30d8235733028e5823f3709bd0a98bcf

SHA512
b0393f0d2eb2173766238d2139ae7dea7a456606f7cb1b0e8bc0375a405bc25d28ef1c804802dddb5c3dbd88cfd047bfa5c93cbb475d1d6b5a9a893b51e25128

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll

Filesize
22KB

MD5
afc20d2ef1f6042f34006d01bfe82777

SHA1
a13adfc0d03bb06d4a8fe7fb4516f3e21258c333

SHA256
cd5256b2fb46deaa440950e4a68466b2b0ff61f28888383094182561738d10a9

SHA512
2c9f87d50d60ebe4c56257caf4dcf3db4d36739768274acc1d41d98676c3dd1527a9fdc998bfa00227d599fb9893aa20756bc34623fa9b678da5c10a0d0d2550

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll

Filesize
18KB

MD5
fe93c3825a95b48c27775664dc54cae4

SHA1
bae2925776e15081f445fbdd708e0179869b126d

SHA256
c4ed8f65c5a0dbf325482a69ab9f8cbd8c97d6120b87ce90ac4cba54ac7d377a

SHA512
23a7bc53b35de4893219a3b864c2355fd08f297b3c096000e1621ca0db974aa4b4799fd037f3a25b023e9ee81f304d351f92409aa6d9623bf27b5a8971b58a23

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
20KB

MD5
d76f73be5b6a2b5e2fa47bc39eccdfe5

SHA1
dfed2b210e65d61bf08847477a28a09b7765e900

SHA256
6c86e40c956eb6a77313fa8dd9c46579c5421fa890043f724c004a66796d37a6

SHA512
72a048fd647ba22d25f7680884ec7f9216c6bdbb7011869731b221d844a9a493dd502770d08dabb04f867c47ece29ca89b8762d97d71afe6788d72e3f8a30bb7

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll

Filesize
19KB

MD5
5d409d47f9aebd6015f7c71d526028c3

SHA1
0da61111b1e3dbb957162705aa2dbc4e693efb35

SHA256
7050043b0362c928aa63dd7800e5b123c775425eba21a5c57cbc052ebc1b0ba2

SHA512
62d2e5a6399f3cbd432e233cea8db0199df5c534870c29d7f5b30f935154cb9b756977d865514e57f52ff8b9be37f25cce5118d83c9039e47d9e8f95aa2575ce

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll

Filesize
18KB

MD5
0d50a16c2b3ec10b4d4e80ffeb0c1074

SHA1
b81f1639d62dfc7be7ae4d51dd3fae7f29a1a297

SHA256
fab41a942f623590402e4150a29d0f6f918ee096dba1e8b320ade3ec286c7475

SHA512
bfee8b2fa8bc5d95e699a82d01a6841a9ac210c288b9dd0aba20b7ebbcfb4363adde439404fe98dc03a6db38873902a335bca77e484fb46f04218696395f1877

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll

Filesize
27KB

MD5
877c5ff146078466ff4370f3c0f02100

SHA1
85cf4c4a59f3b0442cdc346956b377bae5b9ca76

SHA256
9b05a43fdc185497e8c2cea3c6b9eb0d74327bd70913a298a6e8af64514190e8

SHA512
4bc5116d160c31aa24264f02e5d8ba0bd33e26e9632f9ad9018f5bb1964a5c99b325b19db9895483efb82f173962c8dfe70a857db3dfd11796cba82c0d9acd8d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
c25321fe3a7244736383842a7c2c199f

SHA1
427ea01fc015a67ffd057a0e07166b7cd595dcfd

SHA256
bf55134f17b93d8ac4d8159a952bee17cb0c925f5256aa7f747c13e5f2d00661

SHA512
3aa08138a4bba4d5619e894e3ec66cc540db9f5fe94e226c9b4fc8a068ddb13039335aa72731e5dbdb89dfc6550c9f5d8f03441001c8fd43a77795a2197a8c60

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
24KB

MD5
53e23e326c11191a57ddf7ada5aa3c17

SHA1
af60bcca74f5b4b65c2b322ac7a5cedb9609c238

SHA256
293c76a26fbc0c86dcf5906dd9d9ddc77a5609ea8c191e88bdc907c03b80a3a5

SHA512
82c71b003332006beeafb99306dbcc6517a0f31f9659ea6b1607a88d6a2b15420aef6c47dfaf21fd3bd7502135fb37ba7a9321fc2a9b82c7deb85a75d43a6f58

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
05af3f787a38ed1974ff3bda3d752e69

SHA1
c88117f16a0ae4ccb4f3d3c8e733d213de654b04

SHA256
f4163cbc464a82fce47442447351265a287561c8d64ecc2f2f97f5e73bcb4347

SHA512
9bc364a4361e6ce3e9fc85317e8a252516006d1bae4bf8d2e0273337bbb7fe4a068a3e29966ff2707e974af323dd9ab7b086582504d3caed2ceb1e14d4a37559

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
f440dc5623419e013d07dd1fcd197156

SHA1
0e717f3ab9ccf1826a61eeccda9551d122730713

SHA256
bba068f29609630e8c6547f1e9219e11077426c4f1e4a93b712bfba11a149358

SHA512
e3fc916011d0caa0f8e194464d719e25eec62f48282c2bf815e4257d68eddb35e2e88cb44983fe2f202ee56af12bb026da90a5261a99272dabf2a13794a69898

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\c2rintl.en-us.dll

Filesize
47KB

MD5
768ee4b5dcdeb6171f74411e890fa264

SHA1
c485d9cd5b470f82b2828ede13df257f67a620d4

SHA256
52170d9c4485734fa6ee85a942a58a4348e52b3554f6d0d078341516678ed4ff

SHA512
f290cd09951e3107968729674bf26cf1292d8e3bff987e16f24c9b899c5ef17f8eb6cd66ef4d5790f43af01519aca9273e0c0ee3f14c2a1c626c080b8d1d2f67

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ucrtbase.DLL

Filesize
960KB

MD5
ed27c615d14dadbe15581e8cb7abbe1c

SHA1
c0f27e244eb98b0008ad9fe8cfdf27c8eeb656b0

SHA256
1ca33187b0e81cd0b181a554718cafff2d17c3f6795e6e0824f844abfbaddc07

SHA512
b0a47e66b975913be04096bd7af57b64cd57eff9ccaa2f44115a75799f5791ff9f85c8b31d6ebcf3b9706a91a4df12b720749c67e8f1c89b6951c0524daf1d31

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\091EABA2-E32C-4CEB-890A-8996B3773133\en-us.16\MasterDescriptor.en-us.xml

Filesize
28KB

MD5
82b22591e493dc197c520739511e40a7

SHA1
b0c4caf9ae1ce57c62f10517bed22172a1acca91

SHA256
ac7378ce7eb8beec2f6f36c37079071b4e30f695a106be598b484c3bb8ef6bbd

SHA512
71585a368d090ea8fae4530ff2be9b738510e8ef2fbbc32b289774e479ccd9b8cc580260cac91a54cabbcff1e605de1a1179947da3bb69fbd4d7280443f5d4ad

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\091EABA2-E32C-4CEB-890A-8996B3773133\x-none.16\MasterDescriptor.x-none.xml

Filesize
27KB

MD5
fc5a3e4b4227b6db1147154680e467a0

SHA1
2c0e13c546970808b48aa2c72534fc6319f97f80

SHA256
4ae133c639e8acef769a3fdd013f5055a0d6c9e662100d92f1009e870ea05a02

SHA512
71b39cb625d4d4902a520c4dccbdbe6e10818e74f9de95493ebcc7cda9761d2069d3bbf7abcaeacafe5ce09a60347b87f51ffa929376ae3fc98d8eafd1490604

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a25aadfcde82c3ae8966836308d651b

SHA1
df9a5c4acfddad2dfec9c0b6317120794438a129

SHA256
837bfabb7fcdba13ab85c4ee9da62cdde1cb28e1c03dd7564c12a1f698c60865

SHA512
54bb5b5d04b28723576e93c9d00677ef06001955a4e5559b778140beda4f1ca3df3647c9768062eae0b3c4dda7dad6975462e775e3fbf9c04e675a4c3e6aef87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b488bf15867d6725d326699f9b933c3d

SHA1
44b4a78b4b0c259b49ce3bce46a33c377850d144

SHA256
6ddf1dbb8d52927c1372f59da82c12d1ba188c5385974f53a5c9e88b740f5df5

SHA512
9d6cf450b3dfe85070a516785417378ff98dc25cf53b843b0e0323b647590ed2f3335537fb96c4aae37dee1709a901190d7d644151c669c09aebc839208ad012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
557e93462ced1bb32e7b73041095ccf7

SHA1
2f0b9d001dd5038455f3c4d706bc5f16f64a252b

SHA256
3b2c5f0e6294a386200e5c79b498c2827c509d2b04d4d06cb04a0f3367153bc8

SHA512
c260228b90a923c90398af3127561ccdbfabc95e35f8f16d28f457f9d34e907cb3e29c4b3320a69d28164f5317cf8f8f5f8badd5a74b9c6e83f78e69ca243114

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
481bbb711474967e4242e5fa596e54c1

SHA1
1b232d289fe2e5faca4e707db7b3b57e8f4fb67e

SHA256
dfa72cd191ce14df5be1364f4debc2b5572b0cba3a2f700a9185c1332a01532a

SHA512
f1e2dbc56cc8cb128efb2a1ac3e7c628bf4cd214687d3f04130d12037b3936094109069c6d482b3e95ab4ed740f4ff257efc0cbf32cd6cbbab1ac29649cddf5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2671ab390a6fb3d3dbccc9af6dd96e22

SHA1
7be0db9653016d8e822d426c4d2a22adf33619dc

SHA256
d8ca22e5423be869a1d7c52a912cd222784368b2dd0218b09041ec6f83e142ae

SHA512
28b572856bc66b40272b69be08cb6f19ada9ebfef75c3830357ba08784b1e455d11f48c9bc7ed8a65a85a68f55ffa1b0a0ba58f3f3e1f2c513a7235a0c0d7c3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9d3da759a78220692f553f3087f918fe

SHA1
e53c90932bf7aacb136f2cd64b74434b1235d4ba

SHA256
ee6f1a380d26776a27aec23399bb1e2068792ec1469eb02ab7d6943bb0045c0f

SHA512
eebb51fb9c7b7b82eb8c51641d3819fbb740fb4433ac31b7666aae3288f11515a2295c948e95e8b61d80f8157294c1ecef6b7c40759dbfa557c577681c12db7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc658685b85bf8e0f695d94d57018104

SHA1
cac84dca0fbb2331ae5dfdeca64be37abb64c0fd

SHA256
7006952765bbd3be759d8d0be36a9ea5ed64d38e82d03b1696486695d0d4e1ef

SHA512
28480853955b33e2d29ba79eeaa1c2d86aba69c137dff7ec63e9c8bce9e726cb5a656be5c0c0d7066efc3d254b868f55677956407c388f8c0a2d31a0cc889c81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d800295ac374d7c7f3852e66afc6bb5

SHA1
510db06a848cb3d0ebe9752f5e37c7d89da3442d

SHA256
ebd994dcf5332981bd325dca9e89ef9fe045c7a7c2432a2e7f3708ee8069230c

SHA512
224865113f57d618377bad6e29d93e23f739b05c2dd470c92de283b0e50663a7e4d20ddafda2b96b89ca5af60bd4f019cb54701fa9a013e4be69f4b6e39c0a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch

Filesize
974B

MD5
1ae329ffb84d24de563f2d50ae4bd134

SHA1
36b6f9d7a632441bd1bbfafb8b4df22f51829289

SHA256
ade0f5595f9c07b7c4578009a082c76db9fb82989230ebd6889bff120ba76e0f

SHA512
63e769656424e2a0015716f43749dc488fffa8e9ebfa1c42cc2930dc2a909ee047e3ef55d2f6aa4d287daee36cc169cfc4aec046473c8f5051b2958a9aa5ed3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Users\Admin\AppData\Local\Temp\OfficeC2R567F8CD5-19E0-4B8B-AA30-5085431C7B98\VersionDescriptor.xml

Filesize
6KB

MD5
bb60324022802923266b3568f5e34752

SHA1
f5e5416cdd8c467a87516c5fa15680644885526b

SHA256
1e5da48ff5ac445abab7ceea569f91b1c7e0e0e89a99120f41b687715f5bb219

SHA512
4f2f0689d913f46cda2a3075d9571414c945db5270ff6e32dbbb1939e7cb46b09d89f1d4b739dd233ba1cd392a88e6f21a83024fd3ae05abba221fba9cb8d86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\OfficeC2RE8E06062-CE83-48BC-B364-C3F4184B8589\VersionDescriptor.xml

Filesize
25KB

MD5
83dbf0bc1e90f2bc27ef5abc79163612

SHA1
abb5ae599d1efbd2f015f8b760cd7c774ad471b9

SHA256
a123c49746e7bab9d7319c7175b18939a114c74ba684172abe787614b26eba08

SHA512
bdecdfac10b8c510258d2979ef42a834233589abe02c05e86b376599d11d541ca12d83ad0a983a5e87e72ccfcdece41f522e48fb5ccfae4e86c7e6152db379f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7047.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b3cefb2efdfeb73b59483cbc223c2fde

SHA1
390859b2d941d7fece106ef00c91c9b70e0e44e3

SHA256
d8ec4eee8a0b0b2d52ffe1a79c5c155be238d2fc103676378c8f652c6b381000

SHA512
9257772f9b6ee72eea55e4478a61cec943b18abff9d76e64b266f1ce7134a6a5720b6b58018ce0157dc182a7f0297ed2dbb7599618955b8d21c2ae3e9c749e71

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
e704ab08d2b305b275fa3099a1109635

SHA1
badfe5f57a84c9776c92d7c76c418248eff6e7e0

SHA256
51daefca59dc57fd1453235881b93530e3ab3a6cb46866bcbe85a818cdf124d8

SHA512
642d16d5190fd6acfdf193b8f1e211408d791680b187780a98b1a0e3e8ebfe8e6eb9d7602657f3ddee0dc6b1c3c4e631e3a44819c799fddaef05bba02009711f

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b991089be7af4fd2d041f0a6f85bb094

SHA1
10f6a37dca29a9b2eaac0ec63b6e61beca18420d

SHA256
c445aea8289e1b7225e140f229030b34410fdd5e2f03a9f75cc45400a1abff43

SHA512
f58b9b963d68e483208836db01577c4d656bdc70256b96951127b44df20000a121a32e580ff80d3260b40ff446efd24e221cb7175fa89e095504721247ede0dd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6e5dd88c7aea055e253f5257e9e68dcc

SHA1
fe948578909147d6f1628df319a6801d423d9440

SHA256
ec5345f92a2c230cdbcadd403025ba345656153f8476553f2e608c7cd1d9f13c

SHA512
51a3006749923446bd868fe6bfe6f88dcda666c9c9479365abe120cd67953c6c9fb1f0ab61b429ca5e2556049523f4fe64e5a81156275bf73ef484f233297d93

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce23c75dd5f8b1fa7dc5fde0da515cf0

SHA1
0e6b30ffdcb054eeadef8b81811fa2a78f859461

SHA256
77b6d75b97b9cdb902c2aa52d7d920f3b9c25163360fbcd8cf0df2ffe2caa5be

SHA512
b21b7c5b9fd3348ffa057ff2f3fa8f3c7830a5797ccc2e00d81510d2f22d49da5c39388ecce0cd222e5a33575d05121953d47bc182c2218ce0cadc5103182eb1

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c1e207b49e1158344866a151ad7e7c9c

SHA1
d38416636352f41f04f31b51bcaf39e098011c74

SHA256
b22578350e9d196c77b47efad4b9ec9ce109487c5e34b0b160d1108e53569dee

SHA512
43dc810c2b845db667a143dfe6ba1b423c8b8896602074ceea31c07973a6921baff94db981b74ddb197dca5327660c78654225fd11d74959af87816803d743e2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7b785c1e8f13e16212d71080e2df6306

SHA1
390f99e27bd31fa84b94f03c075a7bcd31f0284c

SHA256
faa4989737991f8be26e247fc6292d1f9b0fe87db6362188053b80efbc8e041b

SHA512
7dbe2b1f78a42882422751702944573d71cc644f5297ffdf63ce3e6c86b1a1f5d4b3c463ac34574a8d85e6ccdc74246ec6c1d215a0c433038c98adfd4cc9e4cc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
383bdf3409d0cc1b45124c28b0ccdcd5

SHA1
4321d194a83a0de27098847e0e6d112fac8d955c

SHA256
7928fae3e0916b45a495f980086c0c0b943b7a5408ccad74595c7d9e76878dac

SHA512
2d142d5264de32b45fdd696d820905e3d4b2fdaa32aead0da22c3a9b31e33c770aef9e76ed3080ed003b619db37a7f897caa2173a2c3984995289d7cdc50064c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
93f37692c8c01d3d87af88f16dbd2549

SHA1
e22b7f9f3d7f95265f62db67d117f3fb5aa5c0ee

SHA256
6fc6525c86246dd174f7657e91d4e1b2944a23de10ff1492718f70b0e7dbfebb

SHA512
7dc80a1a032226254b2604b2889c1d546ddb2038c254f664f005378498195be1dc1c7c94889f6fc029e8ee4d52d8ba9752b731cf4ac7227a7eaa65487a641b71

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65ba233fe896b385c475de3024bbe99a

SHA1
d003055a51c6fdecba8feb21a2b46098c12f0f93

SHA256
d2b3a6a2b9be089282c13334335677134b2ee9e5e51adbcbbd78bc666efe9875

SHA512
7e9532e47472d997179e209bc48845cffc7fdbf4d0fb57e135c1fa29fdcdafcad00e145fe25d4bb2e7d47d310ffbcdacffd8005426d066ac1d072fe14c501fa0

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b7ba72cc3c5c531830ad1a1b9b0dfa32

SHA1
21d45a14f90cfbec06ee405c693ae64be6d9150a

SHA256
3eb7e7472bc9652a3cb9bbdb6d65fc0e73fe3b681d507f60f22edb348e6c5e4e

SHA512
47336832b3c4bf19565ffbad321da47797a609ee5ebc55a52025751379a7deb4c8997af9f6d2bcc8ae0948b0c6a3ca164dba755d0d6a04d8cf39b182debb78c5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3bfe3a74fd74a05e874eb8bd28881c8b

SHA1
7c87fa932c2dcb414f15255c56f2715ead72b46a

SHA256
9d1be4afbf9c7416a852498fada2b410d3f1e386d305c988d0976bfe1b04fc1f

SHA512
55436c18d5e0cbe03643602d227eef1fe88f7be3c6e1f7803ee7e5ba0f17a0306ef954860d5023eefc947b7ba8fec9e37ecd410e2dad160186fb225a55c30386

Download Submit
C:\Windows\Temp\Cab9011.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll

Filesize
1.5MB

MD5
124f00340102764fdde69b8b49307805

SHA1
e2c08d41e9f932d404bdff14ff32c5cec59832f9

SHA256
59b150896d68f2df14ae9918265b2d9d1940135b71be0d1f171d09889b4e1e46

SHA512
c532f7e77d6aa3ccbf76e18a1c86479a77069041bddb0c0e9f23058ba86853c28135a309009ef6a30324b3663cc33edd931bf331cda6a027ad3b1b626a263562

Download Submit
\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

Filesize
5.4MB

MD5
0522fae6d9883aa8cf0403388a6bbc34

SHA1
21aa8bcf9be2ebfec54f14a5e9576742bc0468b6

SHA256
a5288ed5b5b52436d0b6efc817e825951366d4f05b6f7b376fec06448d5f8804

SHA512
5c3540ce23ce08c82fbd50132e165bc033e2260b7c366d395262970516facbba8d2d7759e3ce9065f707e7e37dce6a9874598afa538682f0d1e5eebc7e0e0c5a

Download Submit
\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll

Filesize
24KB

MD5
3a96f417129d6e26232dc64e8fee89a0

SHA1
47f9d89ea1694b94f4f8c5558311a915eca45379

SHA256
01e3c0aa24ce9f8d62753702df5d7a827c390af5e2b76d1f1a5b96c777fd1a4e

SHA512
0898c2c8751a6a0f75417c54157228ccf0e9f3facbfecc1268ecbd3d50eca69a3909c39ca788d9e2d5ccbf3b5ebcdc960df49e40a9c945fc8007d2dc4474f718

Download Submit
\Program Files\Common Files\Microsoft Shared\ClickToRun\vcruntime140.dll

Filesize
83KB

MD5
1453290db80241683288f33e6dd5e80e

SHA1
29fb9af50458df43ef40bfc8f0f516d0c0a106fd

SHA256
2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c

SHA512
4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

Download Submit
memory/2352-135-0x0000000072660000-0x0000000072C0B000-memory.dmp

Filesize
5.7MB

Download
memory/2352-139-0x0000000072660000-0x0000000072C0B000-memory.dmp

Filesize
5.7MB

Download
memory/2352-136-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/2352-134-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/2352-133-0x0000000072660000-0x0000000072C0B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-21-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/2600-125-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-62-0x0000000002530000-0x0000000002570000-memory.dmp

Filesize
256KB

Download
memory/2600-12-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2600-20-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2712-1840-0x0000000002510000-0x0000000002520000-memory.dmp

Filesize
64KB

Download