88de739cac5442354a41df7ff4e8fc4f223a8ff9ff87b59c13df607b491ec679

Analysis

max time kernel
1141s
max time network
1148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 11:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ManagerOfficeTool-main/RunInstallOffice.bat
Size

1KB
MD5

67220c6f2714056236b22f6c0050a1a0
SHA1

c54e1e079fb9a8e85500283a739675a2c09f8358
SHA256

c9fa95a5b741fc6e9355702f7925c8c0c629b6d7da914d4159c66ed7bee05fe6
SHA512

9fbd25d7ae9f6340e7b49a584a191e5f4afe542809d74f4612cbddbbf4ff899633cda9dcc696d58662e5f9f0ed6c251f1cb9fda93513682d06badb7b6d3d4899

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
56	3688	powershell.exe
58	3688	powershell.exe

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
57	raw.githubusercontent.com
58	raw.githubusercontent.com

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3688	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 54 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2456065670"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31150004"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a100000000020000000000106600000001000020000000a7000f05c322d2827757f9f8e6ab7dfbc205d50d6e3e4e24134a469f3a49cc47000000000e8000000002000020000000ebadb1414e8b28318760e09564694b28cfa0b77cd2065cc6431396cd458b0540200000004de46734b156e8a5da1fa826569db35c07e805cf1c9082e07a3de76192d9db25400000006eb258a70aa517ed00384ae4f43f12ad7fcd8d330c4116e5ced1f6459e4b60b6b4320ca62bdb55ca63ae1a6258f3c95f98e357b0f9fe105870364d7dbe175110	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{BDFFCF12-BBA7-11EF-9361-C67090DD1599} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2598680135"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31150004"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ab44cbc7ac5e824ba8748f8001f100a1000000000200000000001066000000010000200000009b60ce227d32dad2224b38994cd5ffb2b8a7097ce59063e4d4a840b483cb9088000000000e800000000200002000000052dc049b4577f32fa6645de6c0541e62c0b5094b8ee56116745eaee667103e012000000009dfac8b8df530d7f7892213136fd562522e69bc8ce097fa3137b13199462e6a400000000cca1cbf4ef6736e72778c63c54f586396e5c60c7af4e1edad66062f882253209d7847cf6f3263fabdd1d76187d6a5cdfa086973d198e1f749da5a3f1892dccb	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30fe5595b44fdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10035d95b44fdb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31150004"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C693A4E6-BBA7-11EF-9361-C67090DD1599} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2456065670"	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2784	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3688	powershell.exe
3688	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3688	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2784	EXCEL.EXE
2784	EXCEL.EXE
2764	iexplore.exe
3168	iexplore.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2784	EXCEL.EXE
2784	EXCEL.EXE
2784	EXCEL.EXE
2784	EXCEL.EXE
2784	EXCEL.EXE
2784	EXCEL.EXE
2764	iexplore.exe
2764	iexplore.exe
2784	EXCEL.EXE
2784	EXCEL.EXE
2784	EXCEL.EXE
2784	EXCEL.EXE
2784	EXCEL.EXE
2784	EXCEL.EXE
3260	IEXPLORE.EXE
3260	IEXPLORE.EXE
3260	IEXPLORE.EXE
2784	EXCEL.EXE
2784	EXCEL.EXE
3168	iexplore.exe
3168	iexplore.exe
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE
1788	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1752	2408	cmd.exe	83
PID 2408 wrote to memory of 1752	2408	cmd.exe	83
PID 2408 wrote to memory of 3688	2408	cmd.exe	84
PID 2408 wrote to memory of 3688	2408	cmd.exe	84
PID 2764 wrote to memory of 3260	2764	iexplore.exe	103
PID 2764 wrote to memory of 3260	2764	iexplore.exe	103
PID 2764 wrote to memory of 3260	2764	iexplore.exe	103
PID 3168 wrote to memory of 1788	3168	iexplore.exe	107
PID 3168 wrote to memory of 1788	3168	iexplore.exe	107
PID 3168 wrote to memory of 1788	3168	iexplore.exe	107

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ManagerOfficeTool-main\RunInstallOffice.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\system32\openfiles.exe
  openfiles
  2⤵
  PID:1752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy RemoteSigned -File "Install.ps1"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3688

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\LockSearch.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2764 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3260

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3168 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BDFFCF12-BBA7-11EF-9361-C67090DD1599}.dat

Filesize
5KB

MD5
7b5be38092d5b2dd29b3c20425ffb0a5

SHA1
9eab65a405704bf1fc1ed3d03d4428d1794f584d

SHA256
ff9d69680bf13e872d8d803d55921fd892e57e00d36d8e557846407cf68f0808

SHA512
bcd8033e9d252019c6999820a09034f7b67533a1dbda3fe223e5ff111d0978ef9a58eaccb3c6c96b0a7259cd7270eda0e7a8da9d97d0a51571c835731c5d6a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{B050C8B9-848C-11EF-9359-46B98598D6FF}.dat

Filesize
5KB

MD5
2650a895056abd20ff8cb7b5f9006fe4

SHA1
7962710be38e55423269827ab165b9af19d4fa59

SHA256
8025115f857ba1227a12babca10895f2405f366c08ca64fc44cfeb55fe460df0

SHA512
aaa5b419c351516b7898beb92f1924e011fc0945eab5a98b6eb5d251bc29c8a411285e488978acccc677e2f4c0bf74d6d0c085a378d2cd2eacd9f0af03d8a09c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{BDFFCF15-BBA7-11EF-9361-C67090DD1599}.dat

Filesize
4KB

MD5
a35038c1ad1d02a3eb7e1e55ba76d863

SHA1
366f6161631c86d3b11fbbadd8164404dfec2979

SHA256
7d25e47bca73a38cbc98e506f65abaf5890f5db866d09249e3792b72b1645fe6

SHA512
0502b0e19e56ce3f93cdf96a1e0023bc62199e8796f8fe8059826b87e789a61dcd336f926196fff8d82f275893d54f59f5d4dccd2388f6e01cb3270f027f00a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ManagerOfficeTool-main\Files\Uninstall\Get-OfficeVersion.ps1

Filesize
12KB

MD5
95d4899fddd68691a88a6fba4bb435fa

SHA1
73a2c45df273b9d950f0ac65a0c110dd9bf6c3dd

SHA256
b262189025e54340a0cb54875ebea2bea9a95b0218f18aa1e8f5a908002330e5

SHA512
66f585d89994aaf41f0d2f3cd563516ed19764219f12fddbf0bced9994a343231d977853975edb8397eecc3fd90e9f8f3afe8f666564390030220d531c04d9fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\ManagerOfficeTool-main\Files\Uninstall\Remove-PreviousOfficeInstalls.ps1

Filesize
66KB

MD5
27a07d948b099980d5be012368a5868f

SHA1
257841fc7b7ee4cd15d1eb591bcdbe57183ca364

SHA256
9ae43691b7a70486caa3c7cf36fe5b195ba09006bf39d0fdcdbef28a23ed19a4

SHA512
80d1c55ae6a576f5e2a4553cfdc02df3d0901706cded7259724eca638544df674e90cc47903d9129aefaff96a2606b915a69522d03e1fc002b186974d3bf5731

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwc4slbl.ibj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFAF86BDAB6DC3C4F8.TMP

Filesize
16KB

MD5
c6eea4ae5e2fc6cfb10175ca4d0c9d6c

SHA1
80f20730d8ae3314653f5f43529a947e08ff29be

SHA256
4c3a527b3d9cb92a9d63b989e8f1e49da258ffe740b5ee1adc761df17b55bf05

SHA512
595a531a24732395e1c458a3fcdbdd713ee54365b06307cf06f5c4bbae9e204a64cae9196f045ed30950086ac0f58b4e9350537b98a335dbff1f0718a6168011

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
368B

MD5
f19a9fcccdf19a0a42caf34478911b14

SHA1
b4f1ee9ccb811cc69072fbe907c9a6ed57df4e1d

SHA256
2f3db98ff2602ce9b65eab1860cf8d44fe1bf6f71ba874036df2f9daa3c5053a

SHA512
a651cfceff49e9fae4b26d45ece1b6c5df9acc7296cb8350a37290e63f1ac8f3a145f8168da9efa4d35824593a1ec40bad9cb9bb4c9a8fc8f637606c59521c8c

Download Submit
memory/2784-68-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-67-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-128-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-126-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/2784-127-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/2784-125-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/2784-124-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/2784-109-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-105-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-104-0x00007FF8835AD000-0x00007FF8835AE000-memory.dmp

Filesize
4KB

Download
memory/2784-54-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/2784-55-0x00007FF8835AD000-0x00007FF8835AE000-memory.dmp

Filesize
4KB

Download
memory/2784-56-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/2784-57-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/2784-58-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/2784-59-0x00007FF843590000-0x00007FF8435A0000-memory.dmp

Filesize
64KB

Download
memory/2784-64-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-63-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-62-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-61-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-65-0x00007FF841130000-0x00007FF841140000-memory.dmp

Filesize
64KB

Download
memory/2784-60-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-66-0x00007FF841130000-0x00007FF841140000-memory.dmp

Filesize
64KB

Download
memory/2784-101-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-76-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-77-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-75-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-74-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-73-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-72-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-71-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-70-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/2784-69-0x00007FF883510000-0x00007FF883705000-memory.dmp

Filesize
2.0MB

Download
memory/3688-37-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3688-28-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3688-18-0x000001D87A320000-0x000001D87A848000-memory.dmp

Filesize
5.2MB

Download
memory/3688-53-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3688-50-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3688-15-0x000001D8794C0000-0x000001D8796DC000-memory.dmp

Filesize
2.1MB

Download
memory/3688-14-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3688-35-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3688-0-0x00007FF865413000-0x00007FF865415000-memory.dmp

Filesize
8KB

Download
memory/3688-27-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3688-17-0x000001D879C20000-0x000001D879DE2000-memory.dmp

Filesize
1.8MB

Download
memory/3688-13-0x00007FF865413000-0x00007FF865415000-memory.dmp

Filesize
8KB

Download
memory/3688-12-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3688-11-0x00007FF865410000-0x00007FF865ED1000-memory.dmp

Filesize
10.8MB

Download
memory/3688-10-0x000001D861130000-0x000001D861152000-memory.dmp

Filesize
136KB

Download