Overview

overview

7

Static

static

3

2024-04-29...er.exe

windows7-x64

7

2024-04-29...er.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    135s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-04-2024 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-29_6a824a29bbc827c1492aaec9993d56a0_magniber.exe

  • Size

    7.6MB

  • MD5

    6a824a29bbc827c1492aaec9993d56a0

  • SHA1

    b2e5d98607a28977b1b62da54cc3cc0ab8534682

  • SHA256

    e77dbe1008444e4681a07b24a5b24d9d38e31cbb84d0b6af4dbb3cc200f5834f

  • SHA512

    41e0fa2a56da873b3eb76590a6a89a798066da2c0274b64c75078598fb17e0f496603081e41beba232056e1377294a7cf8737ac57213e3c43f208779105914a7

  • SSDEEP

    196608:8CeTsKoKTljtoFbBNyGDkq9orV9RGb3w8qgHeyLbc:woWton8rV9awFgHeync

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 32 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks system information in the registry 2 TTPs 8 IoCs

    System information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 12 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 12 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-29_6a824a29bbc827c1492aaec9993d56a0_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-29_6a824a29bbc827c1492aaec9993d56a0_magniber.exe"
    1⤵
    • Checks computer location settings
    • Checks system information in the registry
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3432
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3592
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
      OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365ProPlusRetail.16_en-us_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/sg/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.17425.20176 mediatype=CDN sourcetype=CDN O365ProPlusRetail.excludedapps=groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown scenario=CLIENTUPDATE
      2⤵
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of SetWindowsHookEx
      PID:4624
    • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
      OfficeClickToRun.exe platform=x64 culture=en-us productstoadd=O365ProPlusRetail.16_en-us_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/sg/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.17425.20176 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks system information in the registry
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4976
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks system information in the registry
    • Drops file in System32 directory
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:748
  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
    "C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\lync.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\teams.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Loads dropped DLL
    • Checks system information in the registry
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    PID:1160

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\APPVPOLICY.dll
    Filesize

    1.0MB

    MD5

    20ae1459b18c035d187ebd44d6fe23c2

    SHA1

    9fd7012e099ab2c8a39341e7260f050e6c997a6d

    SHA256

    f694caa849ce8b91e5ff374af38c8fc13af15b477b6f3401a13056da11d6f818

    SHA512

    978ab47b667ca96cb16c02a19692433d1dd46f1209a4fc17e6ebab026b3a665b98298ef1df877faf77d3fd460f052da80c2e6d1ed40cbcb2da97bb648700e585

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll
    Filesize

    1.6MB

    MD5

    df8403e03a06679d9077a4161849671e

    SHA1

    6635f842092ba46af0520ce0fdb978c6b12a7be7

    SHA256

    49738cd60073b83e07957faaf57ac2fee48fb44eb9a69d9a96591b9fb045d06c

    SHA512

    433a869ba671361f7a72601cf9f47dd560aff5abdb69557ae8cf9d7572646a762e711e7f3dba32f5c04b2e8865c8bc29227cd5197a7cb0762131e8baf4ec8b18

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvStreamingManager.dll
    Filesize

    189KB

    MD5

    5cb3f3f7d8d9afe46bf220b1076f7272

    SHA1

    f6ba4dd48e9deddf6094c9f5fb1bcf761e9e31d7

    SHA256

    97119e4ac0b990aabdcb218dce06c2752bf4e37ad7139390cbfd466b1b67889c

    SHA512

    42f8813eb73e1757e200d18e5ae7ee381000466cb9eee11d11993b81ff9b2364995dc293e3109f7e1cb35a2081b0ccc46942afcd03ba24cccbdac61313187f1f

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll
    Filesize

    1.0MB

    MD5

    c9f1a48e9594a1e00a754d0bf50fa6cd

    SHA1

    c07ac2f5d10c007e33a76261dd4b9f5a7ca9a67e

    SHA256

    b9ce70c3b1a73efe80753a05d93d1f84d43456095e1f72358a7cc5c48444d0b3

    SHA512

    3a1edfdce7884558a9ad728e897ef0b3268c18f68b79441fe6eaa4505cbb9ba757b9907ece46781d09e57e32c949e64c973e4ac848bfe9b88c53777e0c05bbff

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll
    Filesize

    829KB

    MD5

    ddc59d3df358f9372708531b977848c3

    SHA1

    e1a0f9b58dc5579bbd5845bb6d3a7da3b5d8b7da

    SHA256

    fedc8cf10ab72e7a0ec3a493356157028fe16d2ae97f73dead28fffde1b7c935

    SHA512

    4b75fe159eeadd71fea2e3b569796ce547808bff5c183d271e3d2aed7ef11311121f7ec768bcbc1c0354b771f971aa2b46836a8a6c2b0c1d2f8b21922943dbd3

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dll
    Filesize

    2.8MB

    MD5

    530ee57634fcfcbbf83a1280d7734abc

    SHA1

    6121081dd0e415d8925a4147e7fa6fd434efab85

    SHA256

    702758ed69a603bffbcf007699ca8049297da1e3685cd36c67fed7f429a473c4

    SHA512

    d33c3a4299814aad12f88b51a0e451bcebd327c56e5a71555b4cdfc84b78dc097947994f1470331f805a5ac534e605364a0215a4486b0cf595850988439d41ca

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\CONCRT140.dll
    Filesize

    315KB

    MD5

    9485d003573e0eaf7952ab23cc82ef7b

    SHA1

    75b1dcafc21ddc7c3877caeac06bb04ebf09ea40

    SHA256

    5e0e8eac57b86e2de7ca7d6e8d34dddea602ce3660208fb53947a027635d59a1

    SHA512

    50bfdcc4f889cd40fe1b79bd3b32515c18836bc533d5590c95ecf4af5041df61c87df6ad87ef9323e19771de00d7d483fecd07fb7674df380be8839f6ff3256a

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\IntegratedOffice.exe
    Filesize

    5.1MB

    MD5

    75e46c342e51ddcfd2b0ad7b18a47e61

    SHA1

    bfc1042128cdd9ba73e7954cf5327ddc2cbb3459

    SHA256

    96b47d7d0d8d3b12075b7a0d13f90a7c2df032a265511790c00b7ab4f004990b

    SHA512

    1a26ca09ea8a3130fa1b9509349ac7d94469d8fc96d6b816b2638f449910955efc3238af5004bc10e1bf7149b15b9f4dd2f372d483f7cd99b41acf2cc247a036

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\MSIX.dll
    Filesize

    2.0MB

    MD5

    47a05aec297a3193754eab4e6b46afd1

    SHA1

    6f65a187c73e2e55feec7300230e8a59326b09f5

    SHA256

    06bf1de1fda59eea875ff942ed1c2e8399b31efc2e3ca6fed1348c56b5defba3

    SHA512

    ddcac38d8af0b5d50ace0c09ecc7a1a62aa5ae20b6e2480237dc6029d74664229690208c5cbe401ba8b3168016cb52ec6c650f51301d680d448437404e0ac84c

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\VCRUNTIME140.dll
    Filesize

    116KB

    MD5

    e9b690fbe5c4b96871214379659dd928

    SHA1

    c199a4beac341abc218257080b741ada0fadecaf

    SHA256

    a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

    SHA512

    00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\VCRUNTIME140_1.dll
    Filesize

    48KB

    MD5

    eb49c1d33b41eb49dfed58aafa9b9a8f

    SHA1

    61786eb9f3f996d85a5f5eea4c555093dd0daab6

    SHA256

    6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

    SHA512

    d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\appvisvsubsystems32.dll
    Filesize

    1.3MB

    MD5

    75e832bb1529d87a88ef49034e381930

    SHA1

    9b8a52c3c9b3a88c3bdd3b5f5aeb0aecc3df67e8

    SHA256

    4a7ac11ff22d5d842c47be8df6ca98f99c7d48e7ab2f638ccd01eae253e424b0

    SHA512

    6e285a0484d57f6de0ca78a24fb46d9626741d764356d12e2ea6fab32e00a3f285ea0722b89b5a63c11179a5d1ed2a065f97b9399f63f67981fad01967ae654e

    Download Submit

  • C:\Program Files\Common Files\Microsoft Shared\ClickToRun\repoman.dll
    Filesize

    5.7MB

    MD5

    ec3f98182da4d10c0f4a3f7a01ee50cf

    SHA1

    380b71faa9cccd1a2e7d5e8cf2d1100f60c3b29d

    SHA256

    2dc9ab16e59688e50f04928fe098fc40d693c6454d1d9e0404df912254f1e132

    SHA512

    a13285b00f7b8a13704944312a736b020b3d1e3f9753b582cc26fed0db0ec5a2f6f19a07341b21f693451b33c933694605274beaca81ce25827c9fe2e34b8d8e

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll
    Filesize

    532KB

    MD5

    c020ac63dd9de96a169fc1b3bcc014a5

    SHA1

    66c037d5e4e9bfb1aebbfdf9d4b15eee0f852929

    SHA256

    76c20553c8072c3ad729904b27e9c10692fa0e91db06f359bd49e868ef323010

    SHA512

    7698adb46c7c5da979bc667cd7b74c8fadcba154d946264f5f5337ca618a67fc675ce708669884f774fc87811cd3e1671fa5e2d15a7fc12a539389322892a65f

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll
    Filesize

    597KB

    MD5

    647a0967315ed80dd590fe111f38bed7

    SHA1

    f311845d591fcab6c9b086f519e6f83b52ba960d

    SHA256

    95a069ff97824a004d4fada58a23c78b775db72de5570a05977355149df67cb6

    SHA512

    0178a3f488e6972ca87a56fcb4bad16679df88149ae265e29c8a2aac3bea75de1cce5e82575de0eef4303bfdbab2593d96e5074f10a7561c83cde22972590d7e

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll
    Filesize

    297KB

    MD5

    94d6fb63e0fcc7db6ce26674e61a06f6

    SHA1

    34d019f759db4649d89f584437804597b5d02395

    SHA256

    53090adc6e512a6cc52fdd7640736b9352537e757520db7b808857f179bfb3a3

    SHA512

    83a4a927a10fa5210f54908c43c6d68a09ef1aae0aaac40538b4f9252bc01f7b2e3f3e56fe2ee89f0f739918f2559e6af63f58af914f68ba97927245324d7843

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll
    Filesize

    405KB

    MD5

    69d9cc8fcfb951ec44c7d9f26bcb3499

    SHA1

    243b233b74a96d2676a0a2c3dec02904944c97cb

    SHA256

    0167466a80c29b10f0cfda34c745930d96a1117d6a9b7838efd6ae77156df495

    SHA512

    18c588224cd6e5a3b82d27c98f6f92bcf6efb111b11f0c6695ecd9ea1b0dfebf1e5575a4d0fa1e193890a3d7409a041fa5f1322262da095a9f16e5b284a48eab

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll
    Filesize

    569KB

    MD5

    15f5792844af082587747a09f1123a0d

    SHA1

    558999ff58818971f96dfff4f433afa596794ba7

    SHA256

    e5188cf139c4af572588fe794b7392479a0bf59aef86666a0a22db121e41da9d

    SHA512

    7de7f740bab5dcafb9f502853963547c7e50993404535dbcd39b88a586a2bf31b50f1eebe4682ee5fa458a00948af44dc104daa0b595c2c02d6901a81beab24f

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll
    Filesize

    985KB

    MD5

    b992640abf4ea6cdac53d8b38076f845

    SHA1

    ed480fe74fb663e0192098c99a822022b380481c

    SHA256

    f945dddd970b1bd95c6f713f3a1797a2f0772bbaaee0803f43e39fd748d4502a

    SHA512

    a3b1beef8df9a0f14eda0cd6d01895bd17c346fd930284806cea6657b3c73df8899c699484742a45753dc0cd85b4b92e7e5b6d31b4f94ccc9865959f28fbc0d9

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll
    Filesize

    50KB

    MD5

    331f05e490914da44395950a1a57755e

    SHA1

    c1961dc9fa4b58393187d32afd4bb6a44828de03

    SHA256

    2072908383ee3b1bc47041600a40ccf92a64ec3046808cd62c61cb408da98e07

    SHA512

    2edd9e0fac061934dcde4b15b39a016bd0b70346b2e830bb06067383252fe349e54f3101cfa26e3498cd0714c541deff9047ca7e7f77f6b575af9a0359334330

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
    Filesize

    27.1MB

    MD5

    d80c0e89cf4ed13bedeedc1d023cf1cb

    SHA1

    7775de9c1b7044c211f6634507ce5b54e6d50a59

    SHA256

    0632794ea40f575ee8ee692f0e48520e403d25ccd95de224095f3e1717aa2aaf

    SHA512

    d6868381dda84b299bdf7b1bafef9ed08617626391bdcb1110e58e650ff402b409b02834e244472fb125726a27f3e9bdc372ea213b70de3042acd874f5b9c573

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
    Filesize

    13.6MB

    MD5

    2ee3851baaa3c7c9f685902605e6259d

    SHA1

    8a0cb1905d005bbdf4f676b4e21afbe1bc88575d

    SHA256

    8e60d450460a0a2ffe9f501342c7a3ad357dbb5daa121eabab05810c3381d00b

    SHA512

    8428f8149fc034accc3d37459b55a8eedb5c85ba0c06d16dae6da67f08f9c88aa94f5e9c4635162c1dcd336b7d536983f60d0381f63b90c4117049995b79cb9d

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\16.0.17425.20176\i640.hash
    Filesize

    106B

    MD5

    c42769fc58a705ab16044804cd33de08

    SHA1

    ea1e6c0774ad18ae80b69105684df800e59002a3

    SHA256

    87f6b9a4eb6fe138ce34632445034b1426724ac65893b5f0c2d3df1b09844d02

    SHA512

    74434e1345628d439a40ede16dc59c91b4c582f5867ea0ef42e8c36dc4284a7327ee722a644fc0af47ca595c716ae2b2381f30574e10b323f5e6c6c7ea076ad9

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat
    Filesize

    31KB

    MD5

    36957c7c690a6238b9d06f7ac2bbb09e

    SHA1

    0e13ccb55b2453ac0b6ddfeb4b61a2db656b2407

    SHA256

    78a1951162274ea528a5e5aa7858093cd51ad3da66c5b8aac6155b49992a396c

    SHA512

    2ac34da18adc5cfa433b259e2563695418186d393cfe174b88c24d2d64c678ac82cbebd3bbde82703c9307c586c1edab3f305bb862299feb544b94b890118c46

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll
    Filesize

    559KB

    MD5

    c3d497b0afef4bd7e09c7559e1c75b05

    SHA1

    295998a6455cc230da9517408f59569ea4ed7b02

    SHA256

    1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

    SHA512

    d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

    Download Submit

  • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\579AE140-043C-48E0-B4E9-DA4BCABACF9A\en-us.16\MasterDescriptor.en-us.xml
    Filesize

    36KB

    MD5

    72fb563248d442e416eae516094458dd

    SHA1

    d206ad65cfe79d52bf3d0845cbe35585cf7e365b

    SHA256

    7680d0929bafd13ef271a853659afbbf313dd2fb69381f7eb00fe08d38615fe4

    SHA512

    0161a2faef57ed1d704dcb1f89e4d794a563c8900acc0494c8a56e9645637fbd30930c916c261353b399282b256c40e687acf9ef875483bec4cdc0666c4a2639

    Download Submit

  • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\579AE140-043C-48E0-B4E9-DA4BCABACF9A\en-us.16\stream.x64.en-us.dat.cat
    Filesize

    78KB

    MD5

    8551c9ac4f3ec1d6bf80d23396fed971

    SHA1

    c01110845fd2e9b631b0751981c92d90e89d2714

    SHA256

    9115dcf7978a71ecdfc4cae690f4e7c43ffab7a3711177139601bb252d1e119f

    SHA512

    b20daf2312e82e8b6ef2e21d47606d1a617577565108666ffdd757e370daf688351915d2c43ece57ee00e910be53f723875ad9d4562622fa297f700216c69a7a

    Download Submit

  • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\579AE140-043C-48E0-B4E9-DA4BCABACF9A\sd640.delta02.cab_extractOfficeC2R1A57730E-8AD8-49CF-8673-82572E7BE486\MasterDescriptor.x-none.xml
    Filesize

    31KB

    MD5

    e640a6b8af4361a79ba887d1af5993fa

    SHA1

    029cef189a38ff85b6ae456cbfea59b70cc3b725

    SHA256

    09582ad3d949825978c4289654598a20a7ad8128606a1bb4cc33b3c8e931d290

    SHA512

    85f37aebc49e594aa6a4564c8a83234be207f86ad5b7fe00e612f7a58e980da84c31fdbaabd63932e6218479fc85b89b0315b52ac53d375959c5e07dece17c44

    Download Submit

  • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\579AE140-043C-48E0-B4E9-DA4BCABACF9A\sd640.delta03.cab_extractOfficeC2R2BD9089F-9BD3-4A08-B659-2A58B285FA18\stream.x64.x-none.delta03.hash
    Filesize

    128B

    MD5

    c96676c4e935552d7b23caf0844acbb2

    SHA1

    e51181e2d5aecc64b2156e0b7f5c2ae721062e27

    SHA256

    d9dd0a2e99b95e0916575fd4f0014fd44981beb2d99b3af82b14bf29d227c21f

    SHA512

    9f4b50a63c0ab504060f0ab911561afecfe75f5b9582ff1039558a6088f42d89e4dcbd1e2b45f61ce881513ceb33ab42d57f568cd77445669439e52383511a08

    Download Submit

  • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\579AE140-043C-48E0-B4E9-DA4BCABACF9A\sd640.delta03.cab_extractOfficeC2R2BD9089F-9BD3-4A08-B659-2A58B285FA18\stream.x64.x-none.delta03.man.dat
    Filesize

    22KB

    MD5

    e48beb9e1c747f4c5119e72d2382040e

    SHA1

    21a7956474881402e26731995807cc84931d19bd

    SHA256

    c764726c73ed0bbdb2ed814d7f0d88fd37a7ecdb87024a8bbbb1bb3be5fcc122

    SHA512

    c3dc143ac4e6a50faf7eb5fe4018803dbc7669cbe4c75a4a98bb194004007d0847fb37ac235bc54fef12a85332bda01063f51e7c6dfbe49893a8a361e6c381ad

    Download Submit

  • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\579AE140-043C-48E0-B4E9-DA4BCABACF9A\sd641033.delta03.cab_extractOfficeC2R536EA8A4-B43B-42AF-BB8A-E9C336860C13\stream.x64.en-us.delta03.hash
    Filesize

    128B

    MD5

    840946710eb8ccfaf98f31f776eaace0

    SHA1

    fa917c58d32105c1d4ba3ea47c34f81a2030484d

    SHA256

    811bddaaa9839c2f19d165bf7e89f8693736c7a3d16a8da26d1a9e28fdc611a0

    SHA512

    2f9d1d2d5c6847aaaad6cf9f534bbae5d7d434eeec5a636c3d44bb715e0dc504658145e9944978d72cd0e315d9adfe79fa15976d9b248bc892eea40d8945cae6

    Download Submit

  • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\579AE140-043C-48E0-B4E9-DA4BCABACF9A\sd641033.delta03.cab_extractOfficeC2R536EA8A4-B43B-42AF-BB8A-E9C336860C13\stream.x64.en-us.delta03.man.dat
    Filesize

    15KB

    MD5

    9172c7830ebc7049d4a1830624a0bf46

    SHA1

    694c6df4b1233838e50304a3a9c23d89752cb602

    SHA256

    0ac5fd10987aa4eac096535d9004d9194c95d40dc69a0d8c0ec08ba4f2f67264

    SHA512

    4db0343eb82837b8eb5b5d23100ea90c6233307b24941c856fcd4e163becd36b545c62df1bfbed4222cc16d08f8e7dd30c7ba6a29748c8fd75020ddd235e7d3c

    Download Submit

  • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\579AE140-043C-48E0-B4E9-DA4BCABACF9A\x-none.16\MasterDescriptor.x-none.xml
    Filesize

    36KB

    MD5

    6e08be42bc44430589bfd4ef6efcb7a9

    SHA1

    310fe6029cc423da9317b5735d06455d7c68b5fb

    SHA256

    cdfe176584414d4f76730d283ac657d807d4f6fb5f382520bee8e296d2dcc68e

    SHA512

    50d24c53b14b9cb8f8d6b102971be1588a57d0cc2fdee110ca6c70eff59c3461f5ae8ca14a8c5facdc7f8669c0bc58a03360b3fa10777041c91a9f879dd364a3

    Download Submit

  • C:\ProgramData\Microsoft\ClickToRun\ProductReleases\579AE140-043C-48E0-B4E9-DA4BCABACF9A\x-none.16\stream.x64.x-none.dat.cat
    Filesize

    641KB

    MD5

    335082845f2f7f4534dc809ce8023d7f

    SHA1

    d83c0da25fb437981d6085cc0fc41c950cea4307

    SHA256

    e6ebff4a02303dc9eb9355c6b61013a032f89064b15d4c994bd122b3369da685

    SHA512

    6670affec93d5bd477036f3e8c670f993d8a0eeb3d0695a80a13f77d3a7d4da03753f74dd5a651f889a9397b5cbe5e5ac44091d30a1d9cb9c50d7b8803054445

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    95201d9e44c732d9b261b4b334505d6b

    SHA1

    d5f3f499ef27920d8a614152191a7e0c2f9c0264

    SHA256

    baa9a89717f4013b2799bd06490c738246759ecdf7a3200406fad5a443e83669

    SHA512

    15ddf637b642144dca99e2794cb4ca4d1dfa9d682e7eb42075d9b269dd5a479b5ea86017db142b599a3f022ebb695baf3691305ab17009060b4f64ddd7254282

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    2208402194df8a02b16749214bfc0749

    SHA1

    8898f080ac7581b2bed4c6af2e1659468bd3c1b7

    SHA256

    741ed5b0c2d33aab1601936c63822b89b1a7bc2a8e22d628dadb94cc98984fcf

    SHA512

    f76152ecd62a6fc925490ef69585b1cdd92c34d48585eaa6ac81c88075f9d6d7b8f818d2e45d04d3b79b7ac7e3a899d09a51d9fa10d10ccf9c31a146ad689670

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OFFICE~1\i640.cab
    Filesize

    32.0MB

    MD5

    0c35b027efd1f9989218458955bfeb65

    SHA1

    b306d2c4404fa6233f7a75d2d20ff3b276edcc37

    SHA256

    f8b12545547fae5a120d2d6ec06a8c0e157c0f9726934da55800cd92bf069697

    SHA512

    3dd10d74bb3dd42316778dba699d8916f50680d85ec8e859a2c4721ae5a6417f0ac21b6e9c0e17ff74bb307136267c91eee0401a97cd7badeaff08a00a568496

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OFFICE~1\v64_16.0.17425.20176.cab
    Filesize

    11KB

    MD5

    4ee16070ad1b7c2e9eb555ef17388e16

    SHA1

    f1f300e0f50ba57701bc2ef3a6b1bb7999fe679e

    SHA256

    ae2e2ea31ae90eb06e3e9eb82949de3772d07e72514b96addba39bee1886d90b

    SHA512

    ad3c5ca0d190557f3b499e51323bf2e0f221e38a9e960f7c9cfe6577c134a0d561bcb4a31c33abbd352b19080d925907d2e621b5911b7051b878be3b971a4128

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch
    Filesize

    26B

    MD5

    bd3457e50947d4280734e74b51b5b68d

    SHA1

    424635c6b5622a6c01a59d290a1c9ab8e593effc

    SHA256

    23d647979bc5dc186de5ba3e00a222a912ab8e4782eb6407efa70e29e95979f5

    SHA512

    e83e3615a5e94af288eb1c9b92f55e271765cc43531ec94574371debf63c0c4a58327b6fd8a4775bfba8a3234220cb0396b6d33164309a09a1d826c0689143fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch
    Filesize

    3B

    MD5

    21438ef4b9ad4fc266b6129a2f60de29

    SHA1

    5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

    SHA256

    13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

    SHA512

    37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OfficeC2R2B2AA145-35C4-40DD-947F-1403DDDBA9DE\VersionDescriptor.xml
    Filesize

    25KB

    MD5

    f90bb7d675b52ca5fe6b8494cd1e1bfb

    SHA1

    a676e3fa737de0e1734a98ce295eb58d130352b3

    SHA256

    987eef8a72ba4088b9910503eacd4da8e937ec7bbd05fd207a7c2d83e1e2be37

    SHA512

    33ebc6d4c3c8927923ee9c8fc471666d290bfe10925e73c87c3b74c072f7a29922aec9ff12181b8af5f0550578be21c17440a057fcff34aadbc39fbd67896976

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_in5mho2f.wju.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Windows\Temp\OFFICE~1\d640.cab
    Filesize

    9KB

    MD5

    5e243f4abaa028970bac382cdbfd226b

    SHA1

    044cfed8df8d4eaeb5a546aef20726caa737af6b

    SHA256

    29d93f00ee0f23cd6b99411f2286a5fcf70df34703d7876dfd0b3c3b953abbf9

    SHA512

    0a526e7c4c85f3334a065727051ac4523b7d9fd92b8fb1df6c725e7a22ae56703fdc02636ba0f7732ef5668f10a4ae2074f48d3194b8f5e20d459dfe16a37e16

    Download Submit

  • C:\Windows\Temp\OFFICE~1\d641033.cab
    Filesize

    9KB

    MD5

    169a54509a2013a203bf258c1392e419

    SHA1

    c15d2aa84c52ae1e73ea1f8a94255f4cd28d91d2

    SHA256

    f8c6d765c758ceea0b1f3b7c71f0a3063d8120781df2644b3c19e0cca42e13d8

    SHA512

    0a5e1ebf635278f74abf18640c9102d1d3521c56dcbb29656f8a5344954a4b2d295f210bca3a0a324948720bad3c640c404831a7e1b35661c922d96b6fa9b213

    Download Submit

  • C:\Windows\Temp\OFFICE~1\s640.cab
    Filesize

    2.4MB

    MD5

    42dc75eb64b589d3be7f1dca985ab98c

    SHA1

    bde35baf1c616f3086cc7b26851ba8053964bbfc

    SHA256

    654568d607d97596f65db8058e114a2049293813f4c82183bdfea6a681a3f83d

    SHA512

    d70ffb312aa6452df51e7c3d7c261ce8d6b1cb185c0041e83cf0314cb03b0663b5978f020267472ed13d3907f3729358d1d248c1c7496057817ef03fc1ffa356

    Download Submit

  • C:\Windows\Temp\OFFICE~1\s641033.cab
    Filesize

    516KB

    MD5

    27ba0f0c4d92745be0b1881d9e975cb7

    SHA1

    d73a799384b8580e038a8769a2770007e672ae18

    SHA256

    47e11197cb0558c97533299026439daaccc836ec27ba1c5b21282d00a5cb0464

    SHA512

    b6ce90cdb426c9f8c415304fc1fe21baa1e6b19990aa37fd5e524ae38fafeafa1896862cd24c4eccbf3bfcbdd2643d05aad8bb761ac9686983335ae182f44bae

    Download Submit

  • C:\Windows\Temp\OFFICE~1\sd640.delta00.cab
    Filesize

    2.5MB

    MD5

    95208bd98fbe6420ba3d4e63958b8ea1

    SHA1

    8b33adf213e03be55b5221f9a6b531735d5c9fab

    SHA256

    dcf2fda5b0ea07ab69c37f88e8064421b74ee17c67a6e0ab6f7db99cc31f39bc

    SHA512

    4e591890c847329eea8975a306d296326f31da388e20b0908e6781976c6751eda9e4aa18793b047e93d56e47964ee14a30d2802de8cc14e3c612c3f46e776a27

    Download Submit

  • C:\Windows\Temp\OFFICE~1\sd640.delta01.cab
    Filesize

    33KB

    MD5

    355ca52938b4a608699ee30588bba52e

    SHA1

    c1eaaa3b078d3d135c8731e41f5deb669bddf142

    SHA256

    cbf6806315a0a21236be2e8f219366a9e85111ca2b2c7135342cf9f26f3822f9

    SHA512

    f39fb01a1a13648aa9dfaf75417ae6db4067726f2d0b807fc3eec1701e918ef8418047b6a24103cd5215ca5b755330e52081c76be9c6cfc296ca1014cd7c1cf6

    Download Submit

  • C:\Windows\Temp\OFFICE~1\sd640.delta02.cab
    Filesize

    33KB

    MD5

    a853c6d1a4d10afee2afbce5832f63b4

    SHA1

    a28b297de5b67f6882081ffe880ad3f49f366269

    SHA256

    aa277bdf1a3f38bb439fdd5380e557a87510c1bb237cdb234c8b950d389bb057

    SHA512

    865f794f8d5462b71a3170403e8812d5f55178df44ce54d6328a4add883249eab2ed2e86027567632f957c0a45b0322bf80faf9fbcc02f896119556ef4465d0a

    Download Submit

  • C:\Windows\Temp\OFFICE~1\sd640.delta03.cab
    Filesize

    33KB

    MD5

    db8c5f9424cb45f1462a319929a7b4f2

    SHA1

    c2cf09c9c4b3c5735e0c1b0d81796eabc50dcdda

    SHA256

    1d5ff9ee98dcf822a2ac777180f58db2c13e1bddb8328a4ef21cb586aa18229c

    SHA512

    76ff2c095535bb5220671afc6e0ede3231299a5b30d93b3b60b5c664e403356b313bd5abfd8d00179bae9e01455847ac6add1ddf22ea586787bff0ee7db4575e

    Download Submit

  • C:\Windows\Temp\OFFICE~1\sd641033.delta00.cab
    Filesize

    356KB

    MD5

    96ea2c4a6cc7a291dd0c841b519ece11

    SHA1

    694196f92e9f5cf18cfa452c537a805329ec6f4c

    SHA256

    c83f4c285ab3887c6016b74964eaaf8d758ff7786ecc91bd99c214a4d7524a42

    SHA512

    48ed9f5036930154b7d6be8f023ceacca4973feca4cb115384c51e25a470d4f533d082777771dd29b7d560bf02da62bb6820735752930283f2da32fe84f3faf2

    Download Submit

  • C:\Windows\Temp\OFFICE~1\sd641033.delta01.cab
    Filesize

    29KB

    MD5

    c91b591a32967c24d389f33b730a8934

    SHA1

    c042653477f0ba63b5fb4191a3a9ee9e0929db4a

    SHA256

    a5af24f4a2027a1fb5421d234f1610b063de149c6e2482a87156efa70d3d13b9

    SHA512

    ca04afc3d8ee1195c3baee1237cbc89428e2956706e4d9479cf66d226008c90b87181b67199a68bfd8f48bc68341a4ded845f21ebbbb93d75a234beaf0c6807c

    Download Submit

  • C:\Windows\Temp\OFFICE~1\sd641033.delta02.cab
    Filesize

    29KB

    MD5

    d35bf25df8ddfb70cfd4d3997e680cb7

    SHA1

    8cb4bec9711c8f1bdb0f49792570c6a958da49f1

    SHA256

    946ddbceb438da29b348a83d675032fa796fa95dd337df07d4917e7a87995221

    SHA512

    1ebc06dcabd452d88b95c51c65dd506c4f9a8d06e97d592ded774b1e2baaf2a49891fe7471d503556e52aa7429524ea1b988c6bfcaa748aaaab73915506caf4c

    Download Submit

  • C:\Windows\Temp\OFFICE~1\sd641033.delta03.cab
    Filesize

    29KB

    MD5

    77f59bf350f2088a347d219e09a1c978

    SHA1

    a12f860a9db79f46ae4b82cd286f1c454b0e40a6

    SHA256

    f28381b54e5680dd085abbd335e7845bf1df22d0a899727e0b28766d98fe2c0d

    SHA512

    a4bd875ee0869a94ad22912049c04c1e0201719d676f168650f21cd64391c521a1360adcad2f84975f73757dae22f817dde68589275ccaaac56c3e014cd9d600

    Download Submit

  • memory/3432-21-0x00000000068C0000-0x000000000690C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3432-19-0x0000000006450000-0x00000000067A4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3432-40-0x0000000006DF0000-0x0000000006DFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3432-41-0x0000000007DF0000-0x0000000007E16000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3432-1-0x00000000719A0000-0x0000000072150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3432-0-0x00000000052A0000-0x00000000052D6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3432-2-0x0000000005410000-0x0000000005420000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3432-38-0x0000000007BA0000-0x0000000007BBA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3432-3-0x0000000005410000-0x0000000005420000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3432-5-0x0000000005A50000-0x0000000006078000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3432-39-0x0000000007D60000-0x0000000007D76000-memory.dmp

    Filesize

    88KB

    Download

  • memory/3432-37-0x00000000081E0000-0x000000000885A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3432-7-0x0000000005970000-0x0000000005992000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3432-8-0x0000000006170000-0x00000000061D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3432-9-0x00000000061E0000-0x0000000006246000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3432-36-0x0000000007800000-0x00000000078A3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/3432-20-0x0000000006820000-0x000000000683E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3432-22-0x000000007EFA0000-0x000000007EFB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3432-23-0x0000000006E00000-0x0000000006E32000-memory.dmp

    Filesize

    200KB

    Download

  • memory/3432-24-0x000000006E010000-0x000000006E05C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3432-34-0x0000000005410000-0x0000000005420000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3432-46-0x00000000719A0000-0x0000000072150000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3432-35-0x0000000006DE0000-0x0000000006DFE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3592-61-0x000000006E010000-0x000000006E05C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3592-50-0x0000000005E10000-0x0000000006164000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4624-559-0x00007FF7E9620000-0x00007FF7EA0B9000-memory.dmp

    Filesize

    10.6MB

    Download

  • memory/4624-562-0x00007FFD93600000-0x00007FFD9363A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/4624-560-0x00007FFD948D0000-0x00007FFD948E5000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4624-561-0x00007FFD93B10000-0x00007FFD93BAB000-memory.dmp

    Filesize

    620KB

    Download