Analysis
-
max time kernel
299s -
max time network
306s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
21-07-2021 22:56
General
-
Target
OfficeSetup.exe
-
Size
5.0MB
-
MD5
2cd6dc080a634beb490163f76199a013
-
SHA1
db4eb17b689ae7811c6e0b41bd73df83984682b3
-
SHA256
e6b5c8362f7ebcad6a5efef3772bfd4802ee6c34a617bbb8d2870b082fee3423
-
SHA512
fd94668806825515a1e90ebe8407791db4d45093e0f8bdb7d235d40f1056a729e7b6f0002fd01c842a97da4211d4b3acdfe280b59b1b4a5be68394826cfc39cf
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 31 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 5 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 12 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 12 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\OfficeSetup.exe"C:\Users\Admin\AppData\Local\Temp\OfficeSetup.exe"1⤵
- Checks computer location settings
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe platform=x64 culture=en-us productstoadd=ProPlus2019Retail.16_en-US_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/sg/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.14131.20332 mediatype.16=CDN sourcetype.16=CDN ProPlus2019Retail.excludedapps.16=groove pidkeys=MMNJQ-2XKG9-XGCFQ-YTC34-4YBCT flt.useexptransportinplacepl=unknown flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.usebingaddononinstall=unknown flt.usebingaddononupdate=unknown scenario=CLIENTUPDATE2⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeOfficeClickToRun.exe platform=x64 culture=en-us productstoadd=ProPlus2019Retail.16_en-US_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/sg/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.14131.20332 mediatype.16=CDN sourcetype.16=CDN ProPlus2019Retail.excludedapps.16=groove pidkeys=MMNJQ-2XKG9-XGCFQ-YTC34-4YBCT flt.useexptransportinplacepl=unknown flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.usebingaddononinstall=unknown flt.usebingaddononupdate=unknown2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\lync.exe|root\office16\msaccess.exe|root\office16\mspub.exe|root\office16\onenote.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL"1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\APPVFILESYSTEMMETADATA.dllMD5
27312ec34a5452d4070ccca50e8ce55d
SHA191a6430607a78f588531c68d4ad6b3e34253c19b
SHA256ead0f91bdca233199f69970f788c33bb9ad45ad774b90a44e2f95cb701051b78
SHA5121365d149f91cdcc871633bdbc5b7034ef034d2e101d6e96d4f628edf589497315974ec1ad948b2b6ae8ea47c52fd62865a4569f14972f9e1a8d571d70d3a0bfb
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\APPVMANIFEST.dllMD5
b34b3761b55dcb33626fa3161eb15fee
SHA103ceb80844ad9b5ecfbe731ce49f40d6e58334d2
SHA2561b344aa0875aeb12cd2d037411c5b97622ade52d6a40c5bf336355d79371ae64
SHA512772f6c26e8b15c8c054c5aa72f371f4234cfa3dad82edf7b21ae89509500ffb2db75123f1faafcf8eeb466259a54425a8bc563539a9ac50676dd95f6a1a32a7f
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\APPVPOLICY.dllMD5
3fac26f8941a87c077006422f1fd2d50
SHA19f1401d3b17136e2ae15075d0c7fbe88e1bcebb3
SHA256f3e8d273ffd5453a19a4ead39a3c56a8d3581d9e972177d65422d7e338125a1c
SHA51291e879b9b007346e2330ec7f0a06232788dbe50db13a2c3bd589aac36d0bc7bb4bc1c0428b684a72dd0e47afe03925d27ee9f65a531a742704cd3a89436d8091
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dllMD5
cc2b3930ea10d482dfa35233adb38bce
SHA1d7243b76955e18f0b43632fdce3e3fdb21226d85
SHA256d97d46b602bc3b9187a3aa80e13ce7c1ca6cdd6d3ad9e5f8c56448681055b46e
SHA512ee5dc4ad9d2168964b8e61eaa7edbeac6cef83d24e00fb5af9e783607c56186ac161907cffb1ad2c3e0d1a24b2cd81421bb12e2a647f93ce087253ff7897b739
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVCatalog.dllMD5
544877c1af95dcd2de43dffebb9a10ad
SHA1bf43d8ebcbdfd0f2175788ff68974b073c8606a8
SHA25645ac7bf2afd7f59eadc9d8797f5052e5c9ba8cbd499cd8b7487ea43193529985
SHA51210bdeec5c7a5e4f28bca9efd9d5b9e101eb401d19f0cb6d305e504bf680996ecae6249e6f61933e6715a8210d8ffa751a256bf29769533aaba6f5d2fdf6d2c9d
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dllMD5
3286c112ff9a603008822d53827aaeb5
SHA119db18066701aa465dec35741feeb17d0df068be
SHA2560d31ad541270c495236264ec416509d23c3166147bd9ad0dca38a7fb277d2a79
SHA5128ea06f68cea12c33839a7a2392c41b327143adc393ea4bf6889e98e97094d6329b4a18eb380aa6d66285442fb2cd5bf81b8afbcc834a83db7c0896afbe41919b
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvApi.dllMD5
3c85cb2d2e4b9312d39983115f4b7988
SHA1ad24746acb90a819b3b146a2774a19da17873e1f
SHA2564f45a7f0829ffef4dd0e083ceccd0d4987da6b3a889d7bc1a8071de43efdf63a
SHA512b11fb96b4adf4f2c8139c7c230530660029cb100a924846857cd753e7dac2e70b6278acc02a15936e78fe845f4db3416e942cd167dc134bd11e479aba661957c
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvStreamingManager.dllMD5
cae5364f833e5da957bbfd9be4fc209f
SHA1a66b96edad93ad3fa8f9314b001cf796f40641b2
SHA2565d98e973b1ab9b532c610105d9f82316ae9d3ecea1afc0574ae6f7423bf05400
SHA5127fb14d7c9785c44e0d6da1d52916f3ee6b2c56111e4f110df53fee249979ba57f52bc90ddb363a6be35003efbc6b4493505a608bc9fa6a342005b895ea2bcf08
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dllMD5
af903d45c9b5e57ed44dd74fb71db058
SHA180c098a6c6df6671767191dae211f658f47ead1c
SHA256f7d4668d289d1aaf3c5dba545b23c02c2719494d0e63620ff17ba4fe3b003cf3
SHA512d1bf3599917c75c4c8d4fb3f498423b5b0857cb8edaeb0b304e4432602fc1234130308905ff59b4b03e554c2242e66c5932d2d6d56c7fdb47fc6ae98d0efcf31
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dllMD5
6dc8dcb1f8d25626061a5f7b8c00e1fb
SHA12a153334c8c7c6a43bb33d404cb8dac69b78186a
SHA2569dac9604746a1dc8c65964ed1c4f357d7b52348538c3e711accfa20a09a84d82
SHA5124663b3df8f0b717440518a1e587263e969cd83c4faccbceda83f35c3533a03a2f0fdcc142e44f1da48b4002ee4ab0c2930f1a91f61a31edc9841453ec4f052ae
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dllMD5
5046c0734d201fcff86da3ae826cfeee
SHA17c55fb67861742ff6aed202ac7d2064f85e486eb
SHA2565879eafe7a6e2418a8acb25bd00e4fa78170259610fa8a11e8e1e4cedc30cd6b
SHA51237ac546f7d0634812574122a8c3f3ee4d9fa57b67deb6b96ccf34c4be60787f7678a8ef8eed927e8595e0859648fec7b144385b4410e13ec91aa6cec2c734739
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RUI.dllMD5
9b2928440830f5557b55243f5690c072
SHA11a8c55fdc946d7dc7bddeee110b3190c5d488cda
SHA256062fb7d5dd121d031acca2b845272fa9da7d21e522053e43dc7beaa28a012b96
SHA51254fd4e3a8fdd242156c38ff5bafd253e502522359b9be08dd50fa2db692a57c28c373a84c259c747d3ca3926e614af003e951981d2f230a0d0698092dd5c5f9f
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\IntegratedOffice.exeMD5
f83496e864398a5caf84709e990b9a1d
SHA166d739dca1e0f5058a11bcaf2224c51521d4ebf2
SHA256e740c941c003b603f5c15b73918054a529832c98028e38cff49babc617cdbe42
SHA51279f534c9a09941b9a3ff9c06120f5ae10be4ec4f1d3c2850d34c9e35042482c304851cec36a82ce802f9f24a769e823e262c3ea339c64e68910a7683bf297067
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\MSIX.dllMD5
3fb73294dd0a16d24755743210a709c2
SHA1141b831c4e2848cfb870bc35e2a27acf2b38edeb
SHA256a4660ce9df336dfd1974bcfceed10433834e71a36918d8cb5f030c35a6bcaa32
SHA512243c39c26a9a7967df25624dcf8fc4549673399c87f49788c19ff8683ef344f1dc33adba9a1fbe31e468231a5d4584c552df5eed18e91ba264885e010daf6b74
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\MSVCP140.dllMD5
c15a199252046e54b2447ac8a23a4f5f
SHA1f9d6fc729ff7f03494a5f1f51b9693a7df689a7b
SHA25618bc3e55806b676abbc598d1a4331b80ef4a7931101683b5080d0194a47e67cf
SHA5120505ec128700604ed48c8bd385eb5e158d58ddc0e5f85f31424e96ac101e163bf3f344a8f1c3820bf63e63b18ee9cf0899f50c0b41b2dfd53e5d227a7aa4e855
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeMD5
121b3ef38dca50030b4a03138468f034
SHA19d745cd87258f90e44a124df8dd8d9d86e057c2e
SHA256dfa4af56c8f01280182618667201f123cd1d7555fcfdce0945056fabd0045566
SHA51263d6d7f51e11c357efc771ded36c2c4d001eed4fc087794d05fbc58baa20bf3f819aeb0a5b8f4b7c929c261eb39957225af480ef9e4a3de02fb4345f56d942d9
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exeMD5
782fc534737ec5d85fa226b9b4b7e1c8
SHA1b5a53d806c74f29fa027717243a852384f5fbe20
SHA2561193b9810bb4842bc8e52c84e6d090ad7b42879d1090079ebf4e37376ef2ca88
SHA5127a54c04d061e95481f840ebc15e5680075b7f0d00d5f481b7fd450c8fdc3c7229f057188b8fda9afa097d86507e840d3d9e2ca72ece38684cbfc899d4f9e8e12
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\StreamServer.dllMD5
41a43383922e9e6ffab3ea06a7280686
SHA117cd7ad5a61488d1c6b489254193e6955bd60d7f
SHA256d537afe5f824c4bb38c8dc42c0c3e74b1330fc7444ef438f7f608ddc208ad50c
SHA512d59cc8b85fc559b23c6c9c98f324efaf8d181ac86577f5cbedbfd97c132f010044d986da7f8fccb325d42417012bc1b608ae41c31adbcce78864c4e7b5d06846
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\VCRUNTIME140.dllMD5
845a3a6471fb853d0d218518e4c48f8c
SHA1ab4bad2575ab028b0cba13bb445e3c6dd965fb13
SHA25648140e727d1f2438f4fab1e08632ba9c5c928b6c1a4584758391a4fe9d7d978d
SHA512f0a13125a1e1904a9c2483295bd770106485dc1f31bbdb7d3f11ed48d9f7e8282ab46a070f57c82ef19c933608ce29abf6ef5744a61ed608b6026504194ce19f
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\VCRUNTIME140_1.dllMD5
6feeb6ba00dfee9cf3a2e4c6905af7f1
SHA15f7a7a74f9a7de8a344299bf966c0723da26a056
SHA256092e91d8b179ce00c2a139afed85fc478632841e906e44b7ec2fb67268f5aef5
SHA512a008c0df0796067fac98cf04dd2c2ef7e7b0c7248f92f6fb7c346ad77b72d45c60347f7cb974a81fd311408ba74822230f9b1a248ab1b4b06c54c13372d2bb4b
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\appvisvsubsystems32.dllMD5
b08214bf264103819d8f4acb0ee405bf
SHA147022962ab1ecce56637717b61c53141cac08994
SHA2565c2bd34dc72468abf4af44989791e6dbe526735f2f42c4e3737ddd2e82c31352
SHA51267bd23b4cc79c55244e957e7ece438c475ecbcea72409402890f3c78b658b23cf3b9917bb4995d38fff017c56e3cd01300564917b41da426e75e1e7c2b24e31e
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\c2rintl.en-us.dllMD5
73eb617dc2d2c809bd729b40c3516638
SHA1b77d4c548936ef8a18d4f3b58b09a9064b304f42
SHA256fae187f5c35801adb694a561edeb9310dc0d4816587cd86d4548277014ff5d54
SHA512931d41ce892a2dc3c6dd9c80dcaa166713f7fc3d5e31c4a8dd1730a36bd68a54522bd2591e5b09a075b88a064fdd254efebf9fdfab662c41c5330f603e79eb2f
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\repoman.dllMD5
e0d7d6ef9a89793ae929f551ff70f439
SHA1ae4b8be1a993c02c2e5f36de0f06fb0d503555b8
SHA2563ca6e75b244239f9c39e399792acf74c6bb4474e8571abfcbfc21ff39af99524
SHA51293deeeea36898b48804c4e4a6381434c8974035df986a8bb8cc688d251e84e94042549ab40021e1a4ed09dfcec1b4a91953c7b4f172165561f11f17fa1a7160e
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exeMD5
121b3ef38dca50030b4a03138468f034
SHA19d745cd87258f90e44a124df8dd8d9d86e057c2e
SHA256dfa4af56c8f01280182618667201f123cd1d7555fcfdce0945056fabd0045566
SHA51263d6d7f51e11c357efc771ded36c2c4d001eed4fc087794d05fbc58baa20bf3f819aeb0a5b8f4b7c929c261eb39957225af480ef9e4a3de02fb4345f56d942d9
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeMD5
782fc534737ec5d85fa226b9b4b7e1c8
SHA1b5a53d806c74f29fa027717243a852384f5fbe20
SHA2561193b9810bb4842bc8e52c84e6d090ad7b42879d1090079ebf4e37376ef2ca88
SHA5127a54c04d061e95481f840ebc15e5680075b7f0d00d5f481b7fd450c8fdc3c7229f057188b8fda9afa097d86507e840d3d9e2ca72ece38684cbfc899d4f9e8e12
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exeMD5
782fc534737ec5d85fa226b9b4b7e1c8
SHA1b5a53d806c74f29fa027717243a852384f5fbe20
SHA2561193b9810bb4842bc8e52c84e6d090ad7b42879d1090079ebf4e37376ef2ca88
SHA5127a54c04d061e95481f840ebc15e5680075b7f0d00d5f481b7fd450c8fdc3c7229f057188b8fda9afa097d86507e840d3d9e2ca72ece38684cbfc899d4f9e8e12
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
54176ec6eaef90744f5c2f7bb7614825
SHA13b302e4d62cb5811779cd18939f7b40484e7dead
SHA256c7baa57ca88fe15a03be7bbd16f8b0b87c76482291302de57bc1410e360992ef
SHA51228a0f7e32cd291bdead87fa5f3d24512d32e372fc442d142628a681eabb6701ebeaaae3d6782d6e2d1ba438414479dec93a5afd43b7773fdcac18991008a26cc
-
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.dbMD5
8665de22b67e46648a5a147c1ed296ca
SHA1b289a96fee9fa77dd8e045ae8fd161debd376f48
SHA256b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f
SHA512bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
895f56745ea4e9d1fbc2d953ed6e9306
SHA1b0f134779cec71e588a74818705ea66d58842198
SHA256d3a0999d24ff33f4c4cdfff3417fcefafdfcace8f752677b868a367f07a37d87
SHA5128a9b199026db1e003668c164c8f96fa090acb14210aaa8e7dff54e207ef7524566034f13299d60fdcf356f8db377920f9b6f43596457e96c41dac3c63ce30e94
-
C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratchMD5
bd3457e50947d4280734e74b51b5b68d
SHA1424635c6b5622a6c01a59d290a1c9ab8e593effc
SHA25623d647979bc5dc186de5ba3e00a222a912ab8e4782eb6407efa70e29e95979f5
SHA512e83e3615a5e94af288eb1c9b92f55e271765cc43531ec94574371debf63c0c4a58327b6fd8a4775bfba8a3234220cb0396b6d33164309a09a1d826c0689143fb
-
C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratchMD5
bd3457e50947d4280734e74b51b5b68d
SHA1424635c6b5622a6c01a59d290a1c9ab8e593effc
SHA25623d647979bc5dc186de5ba3e00a222a912ab8e4782eb6407efa70e29e95979f5
SHA512e83e3615a5e94af288eb1c9b92f55e271765cc43531ec94574371debf63c0c4a58327b6fd8a4775bfba8a3234220cb0396b6d33164309a09a1d826c0689143fb
-
C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratchMD5
21438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratchMD5
21438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dllMD5
cc2b3930ea10d482dfa35233adb38bce
SHA1d7243b76955e18f0b43632fdce3e3fdb21226d85
SHA256d97d46b602bc3b9187a3aa80e13ce7c1ca6cdd6d3ad9e5f8c56448681055b46e
SHA512ee5dc4ad9d2168964b8e61eaa7edbeac6cef83d24e00fb5af9e783607c56186ac161907cffb1ad2c3e0d1a24b2cd81421bb12e2a647f93ce087253ff7897b739
-
\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dllMD5
cc2b3930ea10d482dfa35233adb38bce
SHA1d7243b76955e18f0b43632fdce3e3fdb21226d85
SHA256d97d46b602bc3b9187a3aa80e13ce7c1ca6cdd6d3ad9e5f8c56448681055b46e
SHA512ee5dc4ad9d2168964b8e61eaa7edbeac6cef83d24e00fb5af9e783607c56186ac161907cffb1ad2c3e0d1a24b2cd81421bb12e2a647f93ce087253ff7897b739
-
\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dllMD5
cc2b3930ea10d482dfa35233adb38bce
SHA1d7243b76955e18f0b43632fdce3e3fdb21226d85
SHA256d97d46b602bc3b9187a3aa80e13ce7c1ca6cdd6d3ad9e5f8c56448681055b46e
SHA512ee5dc4ad9d2168964b8e61eaa7edbeac6cef83d24e00fb5af9e783607c56186ac161907cffb1ad2c3e0d1a24b2cd81421bb12e2a647f93ce087253ff7897b739
-
\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dllMD5
544877c1af95dcd2de43dffebb9a10ad
SHA1bf43d8ebcbdfd0f2175788ff68974b073c8606a8
SHA25645ac7bf2afd7f59eadc9d8797f5052e5c9ba8cbd499cd8b7487ea43193529985
SHA51210bdeec5c7a5e4f28bca9efd9d5b9e101eb401d19f0cb6d305e504bf680996ecae6249e6f61933e6715a8210d8ffa751a256bf29769533aaba6f5d2fdf6d2c9d
-
\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dllMD5
27312ec34a5452d4070ccca50e8ce55d
SHA191a6430607a78f588531c68d4ad6b3e34253c19b
SHA256ead0f91bdca233199f69970f788c33bb9ad45ad774b90a44e2f95cb701051b78
SHA5121365d149f91cdcc871633bdbc5b7034ef034d2e101d6e96d4f628edf589497315974ec1ad948b2b6ae8ea47c52fd62865a4569f14972f9e1a8d571d70d3a0bfb
-
\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dllMD5
3286c112ff9a603008822d53827aaeb5
SHA119db18066701aa465dec35741feeb17d0df068be
SHA2560d31ad541270c495236264ec416509d23c3166147bd9ad0dca38a7fb277d2a79
SHA5128ea06f68cea12c33839a7a2392c41b327143adc393ea4bf6889e98e97094d6329b4a18eb380aa6d66285442fb2cd5bf81b8afbcc834a83db7c0896afbe41919b
-
\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dllMD5
3c85cb2d2e4b9312d39983115f4b7988
SHA1ad24746acb90a819b3b146a2774a19da17873e1f
SHA2564f45a7f0829ffef4dd0e083ceccd0d4987da6b3a889d7bc1a8071de43efdf63a
SHA512b11fb96b4adf4f2c8139c7c230530660029cb100a924846857cd753e7dac2e70b6278acc02a15936e78fe845f4db3416e942cd167dc134bd11e479aba661957c
-
\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dllMD5
cae5364f833e5da957bbfd9be4fc209f
SHA1a66b96edad93ad3fa8f9314b001cf796f40641b2
SHA2565d98e973b1ab9b532c610105d9f82316ae9d3ecea1afc0574ae6f7423bf05400
SHA5127fb14d7c9785c44e0d6da1d52916f3ee6b2c56111e4f110df53fee249979ba57f52bc90ddb363a6be35003efbc6b4493505a608bc9fa6a342005b895ea2bcf08
-
\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dllMD5
af903d45c9b5e57ed44dd74fb71db058
SHA180c098a6c6df6671767191dae211f658f47ead1c
SHA256f7d4668d289d1aaf3c5dba545b23c02c2719494d0e63620ff17ba4fe3b003cf3
SHA512d1bf3599917c75c4c8d4fb3f498423b5b0857cb8edaeb0b304e4432602fc1234130308905ff59b4b03e554c2242e66c5932d2d6d56c7fdb47fc6ae98d0efcf31
-
\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dllMD5
6dc8dcb1f8d25626061a5f7b8c00e1fb
SHA12a153334c8c7c6a43bb33d404cb8dac69b78186a
SHA2569dac9604746a1dc8c65964ed1c4f357d7b52348538c3e711accfa20a09a84d82
SHA5124663b3df8f0b717440518a1e587263e969cd83c4faccbceda83f35c3533a03a2f0fdcc142e44f1da48b4002ee4ab0c2930f1a91f61a31edc9841453ec4f052ae
-
\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dllMD5
b34b3761b55dcb33626fa3161eb15fee
SHA103ceb80844ad9b5ecfbe731ce49f40d6e58334d2
SHA2561b344aa0875aeb12cd2d037411c5b97622ade52d6a40c5bf336355d79371ae64
SHA512772f6c26e8b15c8c054c5aa72f371f4234cfa3dad82edf7b21ae89509500ffb2db75123f1faafcf8eeb466259a54425a8bc563539a9ac50676dd95f6a1a32a7f
-
\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dllMD5
5046c0734d201fcff86da3ae826cfeee
SHA17c55fb67861742ff6aed202ac7d2064f85e486eb
SHA2565879eafe7a6e2418a8acb25bd00e4fa78170259610fa8a11e8e1e4cedc30cd6b
SHA51237ac546f7d0634812574122a8c3f3ee4d9fa57b67deb6b96ccf34c4be60787f7678a8ef8eed927e8595e0859648fec7b144385b4410e13ec91aa6cec2c734739
-
\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dllMD5
3fac26f8941a87c077006422f1fd2d50
SHA19f1401d3b17136e2ae15075d0c7fbe88e1bcebb3
SHA256f3e8d273ffd5453a19a4ead39a3c56a8d3581d9e972177d65422d7e338125a1c
SHA51291e879b9b007346e2330ec7f0a06232788dbe50db13a2c3bd589aac36d0bc7bb4bc1c0428b684a72dd0e47afe03925d27ee9f65a531a742704cd3a89436d8091
-
\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dllMD5
73eb617dc2d2c809bd729b40c3516638
SHA1b77d4c548936ef8a18d4f3b58b09a9064b304f42
SHA256fae187f5c35801adb694a561edeb9310dc0d4816587cd86d4548277014ff5d54
SHA512931d41ce892a2dc3c6dd9c80dcaa166713f7fc3d5e31c4a8dd1730a36bd68a54522bd2591e5b09a075b88a064fdd254efebf9fdfab662c41c5330f603e79eb2f
-
\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dllMD5
73eb617dc2d2c809bd729b40c3516638
SHA1b77d4c548936ef8a18d4f3b58b09a9064b304f42
SHA256fae187f5c35801adb694a561edeb9310dc0d4816587cd86d4548277014ff5d54
SHA512931d41ce892a2dc3c6dd9c80dcaa166713f7fc3d5e31c4a8dd1730a36bd68a54522bd2591e5b09a075b88a064fdd254efebf9fdfab662c41c5330f603e79eb2f
-
\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dllMD5
73eb617dc2d2c809bd729b40c3516638
SHA1b77d4c548936ef8a18d4f3b58b09a9064b304f42
SHA256fae187f5c35801adb694a561edeb9310dc0d4816587cd86d4548277014ff5d54
SHA512931d41ce892a2dc3c6dd9c80dcaa166713f7fc3d5e31c4a8dd1730a36bd68a54522bd2591e5b09a075b88a064fdd254efebf9fdfab662c41c5330f603e79eb2f
-
\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dllMD5
73eb617dc2d2c809bd729b40c3516638
SHA1b77d4c548936ef8a18d4f3b58b09a9064b304f42
SHA256fae187f5c35801adb694a561edeb9310dc0d4816587cd86d4548277014ff5d54
SHA512931d41ce892a2dc3c6dd9c80dcaa166713f7fc3d5e31c4a8dd1730a36bd68a54522bd2591e5b09a075b88a064fdd254efebf9fdfab662c41c5330f603e79eb2f
-
\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dllMD5
9b2928440830f5557b55243f5690c072
SHA11a8c55fdc946d7dc7bddeee110b3190c5d488cda
SHA256062fb7d5dd121d031acca2b845272fa9da7d21e522053e43dc7beaa28a012b96
SHA51254fd4e3a8fdd242156c38ff5bafd253e502522359b9be08dd50fa2db692a57c28c373a84c259c747d3ca3926e614af003e951981d2f230a0d0698092dd5c5f9f
-
\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dllMD5
9b2928440830f5557b55243f5690c072
SHA11a8c55fdc946d7dc7bddeee110b3190c5d488cda
SHA256062fb7d5dd121d031acca2b845272fa9da7d21e522053e43dc7beaa28a012b96
SHA51254fd4e3a8fdd242156c38ff5bafd253e502522359b9be08dd50fa2db692a57c28c373a84c259c747d3ca3926e614af003e951981d2f230a0d0698092dd5c5f9f
-
\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dllMD5
e0d7d6ef9a89793ae929f551ff70f439
SHA1ae4b8be1a993c02c2e5f36de0f06fb0d503555b8
SHA2563ca6e75b244239f9c39e399792acf74c6bb4474e8571abfcbfc21ff39af99524
SHA51293deeeea36898b48804c4e4a6381434c8974035df986a8bb8cc688d251e84e94042549ab40021e1a4ed09dfcec1b4a91953c7b4f172165561f11f17fa1a7160e
-
\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dllMD5
41a43383922e9e6ffab3ea06a7280686
SHA117cd7ad5a61488d1c6b489254193e6955bd60d7f
SHA256d537afe5f824c4bb38c8dc42c0c3e74b1330fc7444ef438f7f608ddc208ad50c
SHA512d59cc8b85fc559b23c6c9c98f324efaf8d181ac86577f5cbedbfd97c132f010044d986da7f8fccb325d42417012bc1b608ae41c31adbcce78864c4e7b5d06846
-
\Program Files\Common Files\microsoft shared\ClickToRun\msix.dllMD5
3fb73294dd0a16d24755743210a709c2
SHA1141b831c4e2848cfb870bc35e2a27acf2b38edeb
SHA256a4660ce9df336dfd1974bcfceed10433834e71a36918d8cb5f030c35a6bcaa32
SHA512243c39c26a9a7967df25624dcf8fc4549673399c87f49788c19ff8683ef344f1dc33adba9a1fbe31e468231a5d4584c552df5eed18e91ba264885e010daf6b74
-
\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dllMD5
c15a199252046e54b2447ac8a23a4f5f
SHA1f9d6fc729ff7f03494a5f1f51b9693a7df689a7b
SHA25618bc3e55806b676abbc598d1a4331b80ef4a7931101683b5080d0194a47e67cf
SHA5120505ec128700604ed48c8bd385eb5e158d58ddc0e5f85f31424e96ac101e163bf3f344a8f1c3820bf63e63b18ee9cf0899f50c0b41b2dfd53e5d227a7aa4e855
-
\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dllMD5
c15a199252046e54b2447ac8a23a4f5f
SHA1f9d6fc729ff7f03494a5f1f51b9693a7df689a7b
SHA25618bc3e55806b676abbc598d1a4331b80ef4a7931101683b5080d0194a47e67cf
SHA5120505ec128700604ed48c8bd385eb5e158d58ddc0e5f85f31424e96ac101e163bf3f344a8f1c3820bf63e63b18ee9cf0899f50c0b41b2dfd53e5d227a7aa4e855
-
\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dllMD5
c15a199252046e54b2447ac8a23a4f5f
SHA1f9d6fc729ff7f03494a5f1f51b9693a7df689a7b
SHA25618bc3e55806b676abbc598d1a4331b80ef4a7931101683b5080d0194a47e67cf
SHA5120505ec128700604ed48c8bd385eb5e158d58ddc0e5f85f31424e96ac101e163bf3f344a8f1c3820bf63e63b18ee9cf0899f50c0b41b2dfd53e5d227a7aa4e855
-
\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dllMD5
845a3a6471fb853d0d218518e4c48f8c
SHA1ab4bad2575ab028b0cba13bb445e3c6dd965fb13
SHA25648140e727d1f2438f4fab1e08632ba9c5c928b6c1a4584758391a4fe9d7d978d
SHA512f0a13125a1e1904a9c2483295bd770106485dc1f31bbdb7d3f11ed48d9f7e8282ab46a070f57c82ef19c933608ce29abf6ef5744a61ed608b6026504194ce19f
-
\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dllMD5
845a3a6471fb853d0d218518e4c48f8c
SHA1ab4bad2575ab028b0cba13bb445e3c6dd965fb13
SHA25648140e727d1f2438f4fab1e08632ba9c5c928b6c1a4584758391a4fe9d7d978d
SHA512f0a13125a1e1904a9c2483295bd770106485dc1f31bbdb7d3f11ed48d9f7e8282ab46a070f57c82ef19c933608ce29abf6ef5744a61ed608b6026504194ce19f
-
\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dllMD5
845a3a6471fb853d0d218518e4c48f8c
SHA1ab4bad2575ab028b0cba13bb445e3c6dd965fb13
SHA25648140e727d1f2438f4fab1e08632ba9c5c928b6c1a4584758391a4fe9d7d978d
SHA512f0a13125a1e1904a9c2483295bd770106485dc1f31bbdb7d3f11ed48d9f7e8282ab46a070f57c82ef19c933608ce29abf6ef5744a61ed608b6026504194ce19f
-
\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140_1.dllMD5
6feeb6ba00dfee9cf3a2e4c6905af7f1
SHA15f7a7a74f9a7de8a344299bf966c0723da26a056
SHA256092e91d8b179ce00c2a139afed85fc478632841e906e44b7ec2fb67268f5aef5
SHA512a008c0df0796067fac98cf04dd2c2ef7e7b0c7248f92f6fb7c346ad77b72d45c60347f7cb974a81fd311408ba74822230f9b1a248ab1b4b06c54c13372d2bb4b
-
\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140_1.dllMD5
6feeb6ba00dfee9cf3a2e4c6905af7f1
SHA15f7a7a74f9a7de8a344299bf966c0723da26a056
SHA256092e91d8b179ce00c2a139afed85fc478632841e906e44b7ec2fb67268f5aef5
SHA512a008c0df0796067fac98cf04dd2c2ef7e7b0c7248f92f6fb7c346ad77b72d45c60347f7cb974a81fd311408ba74822230f9b1a248ab1b4b06c54c13372d2bb4b
-
\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140_1.dllMD5
6feeb6ba00dfee9cf3a2e4c6905af7f1
SHA15f7a7a74f9a7de8a344299bf966c0723da26a056
SHA256092e91d8b179ce00c2a139afed85fc478632841e906e44b7ec2fb67268f5aef5
SHA512a008c0df0796067fac98cf04dd2c2ef7e7b0c7248f92f6fb7c346ad77b72d45c60347f7cb974a81fd311408ba74822230f9b1a248ab1b4b06c54c13372d2bb4b
-
memory/2076-204-0x0000000009230000-0x0000000009231000-memory.dmpFilesize
4KB
-
memory/2076-198-0x0000000008C90000-0x0000000008C91000-memory.dmpFilesize
4KB
-
memory/2076-142-0x0000000008C80000-0x0000000008C81000-memory.dmpFilesize
4KB
-
memory/2076-127-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/2076-114-0x0000000000000000-mapping.dmp
-
memory/2076-117-0x0000000006730000-0x0000000006731000-memory.dmpFilesize
4KB
-
memory/2076-126-0x0000000008050000-0x0000000008051000-memory.dmpFilesize
4KB
-
memory/2076-125-0x00000000075E0000-0x00000000075E1000-memory.dmpFilesize
4KB
-
memory/2076-147-0x0000000009010000-0x0000000009011000-memory.dmpFilesize
4KB
-
memory/2076-176-0x000000007F9C0000-0x000000007F9C1000-memory.dmpFilesize
4KB
-
memory/2076-177-0x00000000068C3000-0x00000000068C4000-memory.dmpFilesize
4KB
-
memory/2076-124-0x0000000007780000-0x0000000007781000-memory.dmpFilesize
4KB
-
memory/2076-197-0x0000000009140000-0x0000000009141000-memory.dmpFilesize
4KB
-
memory/2076-135-0x0000000008CA0000-0x0000000008CD3000-memory.dmpFilesize
204KB
-
memory/2076-203-0x0000000009A80000-0x0000000009A81000-memory.dmpFilesize
4KB
-
memory/2076-123-0x0000000007530000-0x0000000007531000-memory.dmpFilesize
4KB
-
memory/2076-122-0x0000000007710000-0x0000000007711000-memory.dmpFilesize
4KB
-
memory/2076-121-0x0000000006E10000-0x0000000006E11000-memory.dmpFilesize
4KB
-
memory/2076-120-0x00000000068C2000-0x00000000068C3000-memory.dmpFilesize
4KB
-
memory/2076-118-0x0000000006F00000-0x0000000006F01000-memory.dmpFilesize
4KB
-
memory/2076-119-0x00000000068C0000-0x00000000068C1000-memory.dmpFilesize
4KB
-
memory/2800-320-0x0000000000000000-mapping.dmp
-
memory/2912-357-0x0000000000000000-mapping.dmp
-
memory/4056-233-0x0000000004CA2000-0x0000000004CA3000-memory.dmpFilesize
4KB
-
memory/4056-231-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/4056-216-0x0000000000000000-mapping.dmp
-
memory/4056-307-0x000000007F280000-0x000000007F281000-memory.dmpFilesize
4KB
-
memory/4056-308-0x0000000004CA3000-0x0000000004CA4000-memory.dmpFilesize
4KB