f52a9ae7036a7e113d4ad84816694f9b713a9f1d82b279a126b295c9fa1d480b

Analysis

max time kernel
142s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OfficeSetup.exe
Size

8.0MB
MD5

a00cc587fc5b60da836fae6f57e37215
SHA1

9f0f130231be528d9e1815f8fbde59d498d6af4b
SHA256

f52a9ae7036a7e113d4ad84816694f9b713a9f1d82b279a126b295c9fa1d480b
SHA512

988a87ab8466e6a951da4486ea5426f33f2679993c4654de591c55f5ec18b358ed8b56778f910302cf3073c8ab77fa1eb8465f2a81279626f4868dccd72c0a34
SSDEEP

196608:+Fhx3li/KRXxG2nZ000UMVZUMPRcmLup5+g/TpxI81Heyf:2i/QxGAZ0FVZUILup5fpx3Heyf

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	OfficeSetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\International\Geo\Nation	OfficeClickToRun.exe

Executes dropped EXE 2 IoCs

pid	Process
3776	OfficeClickToRun.exe
2128	OfficeClickToRun.exe

Loads dropped DLL 10 IoCs

pid	Process
3776	OfficeClickToRun.exe
3776	OfficeClickToRun.exe
3776	OfficeClickToRun.exe
3776	OfficeClickToRun.exe
3776	OfficeClickToRun.exe
2128	OfficeClickToRun.exe
2128	OfficeClickToRun.exe
2128	OfficeClickToRun.exe
2128	OfficeClickToRun.exe
2128	OfficeClickToRun.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OfficeSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OfficeSetup.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OfficeClickToRun.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187	OfficeClickToRun.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\ClientCapabilities.json	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\AppVClientIsv.man	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\vcruntime140.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.es-es.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.lv-lv.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\ucrtbase.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\msvcp140.dll.bak	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\vcruntime140.dll.bak	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\AppVCatalog.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\AppvIsvSubsystems64.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.de-de.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.ru-ru.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll.bak	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RHeartbeatConfig.xml	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.fr-ca.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\concrt140.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\OfficeOEMPlugin.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\MavInject32.exe	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\StreamServer.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\ApiClient.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\AppVShNotify.exe	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.hr-hr.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.pt-pt.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.sl-si.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\c2r64werhandler.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\InspectorOfficeGadget.exe	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.zh-tw.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe.bak	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\api-ms-win-crt-locale-l1-1-0.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\api-ms-win-crt-runtime-l1-1-0.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\AppVIsvSubsystems64_msix.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.hi-in.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.nb-no.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\appvcleaner.exe	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\officesvcmgrschedule.xml	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\AppvIsvSubsystems32_msix.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.it-it.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2R64.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.pt-br.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\i640.hash	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\OfficeClickToRun.exe	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\vcruntime140_1.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\api-ms-win-core-localization-l1-2-0.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\AppVIntegration.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.da-dk.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.tr-tr.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\manageability.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\api-ms-win-core-processthreads-l1-1-1.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\api-ms-win-crt-conio-l1-1-0.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\api-ms-win-crt-utility-l1-1-0.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\AppvIsvSubsystems32.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\ServiceWatcherSchedule.xml	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.el-gr.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.pl-pl.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\msix.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\api-ms-win-crt-heap-l1-1-0.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\c2r32werhandler.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.fi-fi.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\policy.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.sr-latn-rs.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RINTL.vi-vn.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\C2RUI.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\api-ms-win-crt-stdio-l1-1-0.dll	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\16.0.16827.20166OfficeC2R3E212247-4B8F-4889-974F-6F45CC2310F3\AppVIsvStreamingManager.dll	OfficeClickToRun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeSetup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeSetup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe

Modifies data under HKEY_USERS 40 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,7202269,17110992,41484365,39965824,7153487,17110988,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ExternalFeatureOverrides\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSession\officeclicktorun	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "2"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ApplicationUpgradeCandidate\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\TrustCenter\Experimentation	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSessionUpgradeCandidate\officeclicktorun	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSessionUpgradeCandidate	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\CrashPersistence\OFFICECL\3776	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\CrashPersistence\OFFICECL\3776	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\ApplicationUpgradeCandidate	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\CrashPersistence	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\CrashPersistence\OFFICECL	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages\en-US = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2608	powershell.exe
2608	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	powershell.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4100	OfficeSetup.exe
5108	OfficeClickToRun.exe
3776	OfficeClickToRun.exe
2128	OfficeClickToRun.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 2608	4100	OfficeSetup.exe	85
PID 4100 wrote to memory of 2608	4100	OfficeSetup.exe	85
PID 4100 wrote to memory of 2608	4100	OfficeSetup.exe	85
PID 4100 wrote to memory of 5108	4100	OfficeSetup.exe	96
PID 4100 wrote to memory of 5108	4100	OfficeSetup.exe	96
PID 4100 wrote to memory of 2128	4100	OfficeSetup.exe	99
PID 4100 wrote to memory of 2128	4100	OfficeSetup.exe	99

C:\Users\Admin\AppData\Local\Temp\OfficeSetup.exe
"C:\Users\Admin\AppData\Local\Temp\OfficeSetup.exe"
1⤵
- Checks computer location settings
- Checks system information in the registry
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile "$package = Get-AppxPackage Microsoft.Office.Desktop -allUsers; if (!$package) { $Error.Add(\"Package is not installed\")}; if ($error.Count -eq 0) { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '1' -Encoding ascii; } else { Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch' -InputObject '0' -Encoding ascii; Out-File -FilePath 'C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch' -InputObject $error -Encoding ascii;} "
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
  OfficeClickToRun.exe platform=x64 culture=es-es productstoadd=O365ProPlusRetail.16_es-es_x-none cdnbaseurl=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl=http://officecdn.microsoft.com/db/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version=16.0.16827.20166 mediatype=CDN sourcetype=CDN O365ProPlusRetail.excludedapps=groove updatesenabled=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=True scenario=CLIENTUPDATE
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:5108
- C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
  OfficeClickToRun.exe platform=x64 culture=es-es productstoadd=O365ProPlusRetail.16_es-es_x-none cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 baseurl.16=http://officecdn.microsoft.com/db/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.16827.20166 mediatype.16=CDN sourcetype.16=CDN O365ProPlusRetail.excludedapps.16=groove updatesenabled.16=False bitnessmigration=False deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 flt.useoutlookshareaddon=unknown flt.useofficehelperaddon=unknown flt.UseTeamsOnInstallConsumer=unknown flt.UseTeamsOnUpdateConsumer=unknown uninstallcentennial=True
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of SetWindowsHookEx
  PID:2128

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\ApiClient.dll

Filesize
531KB

MD5
c66926bfecc9c8a1df9e2f1e17070661

SHA1
a6335dd5a0e62621b32c4a2d26c7b8a592d51ca6

SHA256
25d70018e8cda903759499599fd4cd015058966205f254e1a6660c72bc3e9cd0

SHA512
19a215b12f7eb2a5ffdcc43bdf58310be665a1e3f42d316f649047bb6ec8b6700a04288211b793e965514fa5f6785eb10a8cdd7cde9466d6362db0ef55206b4e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll

Filesize
1.0MB

MD5
c9f1a48e9594a1e00a754d0bf50fa6cd

SHA1
c07ac2f5d10c007e33a76261dd4b9f5a7ca9a67e

SHA256
b9ce70c3b1a73efe80753a05d93d1f84d43456095e1f72358a7cc5c48444d0b3

SHA512
3a1edfdce7884558a9ad728e897ef0b3268c18f68b79441fe6eaa4505cbb9ba757b9907ece46781d09e57e32c949e64c973e4ac848bfe9b88c53777e0c05bbff

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\CONCRT140.dll

Filesize
309KB

MD5
22a0056ffd1c0b3081ca56f441cec3c9

SHA1
81eaaed525b7c714261f840f7cdb5164e45d734e

SHA256
782910b23f8a65ec477f886f7bcbdc67103354af263bd30c0dccabbfbc506ba1

SHA512
72cc4c4625555fd2fb2276a0a062d39ff2ac7b55a212ce6f58fbd7f58ca5a4a0d69e43a7b72bdafa803c84bc400afb5c274e455e5846c83d35d3f9bce88be41b

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\MSVCP140.dll

Filesize
557KB

MD5
7db24201efea565d930b7ec3306f4308

SHA1
880c8034b1655597d0eebe056719a6f79b60e03c

SHA256
72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e

SHA512
bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\VCRUNTIME140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\i640.hash

Filesize
106B

MD5
d040fdc85462b75fd70a4b1b774b73a7

SHA1
ec68c13e5de7c339178341def04034c12cbed8c4

SHA256
235b4abf4be53f959bba1cc535904c3c38999b465d34b912cb6c03e0a982fd1e

SHA512
20e9646aa701dc9c144b9a05b0618e9d93e1fda0db6b5f73d027b0acc64838c2461e64bb08f22db09d96546d373aba16a993f97a254ffa8c1ccf7c16654093b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll

Filesize
531KB

MD5
c66926bfecc9c8a1df9e2f1e17070661

SHA1
a6335dd5a0e62621b32c4a2d26c7b8a592d51ca6

SHA256
25d70018e8cda903759499599fd4cd015058966205f254e1a6660c72bc3e9cd0

SHA512
19a215b12f7eb2a5ffdcc43bdf58310be665a1e3f42d316f649047bb6ec8b6700a04288211b793e965514fa5f6785eb10a8cdd7cde9466d6362db0ef55206b4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll

Filesize
531KB

MD5
c66926bfecc9c8a1df9e2f1e17070661

SHA1
a6335dd5a0e62621b32c4a2d26c7b8a592d51ca6

SHA256
25d70018e8cda903759499599fd4cd015058966205f254e1a6660c72bc3e9cd0

SHA512
19a215b12f7eb2a5ffdcc43bdf58310be665a1e3f42d316f649047bb6ec8b6700a04288211b793e965514fa5f6785eb10a8cdd7cde9466d6362db0ef55206b4e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

Filesize
12.3MB

MD5
46ac7afc8a824aa0ddb5a7c65a850c37

SHA1
07a7a4ac55f3d69e69094f3b08ce730cf8606830

SHA256
f2e513184e7d4c37feff856cf75d8f1dc098069dde91fa0fdfd777e6ebb119f9

SHA512
b27414607170f69aef4039858675d634db292770e44bf3fa7020c14c5cf79254d0a2841751c5e0a4bc489ca7ba506515d035fca71ec8bac912f72a42bba8f30d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

Filesize
12.3MB

MD5
46ac7afc8a824aa0ddb5a7c65a850c37

SHA1
07a7a4ac55f3d69e69094f3b08ce730cf8606830

SHA256
f2e513184e7d4c37feff856cf75d8f1dc098069dde91fa0fdfd777e6ebb119f9

SHA512
b27414607170f69aef4039858675d634db292770e44bf3fa7020c14c5cf79254d0a2841751c5e0a4bc489ca7ba506515d035fca71ec8bac912f72a42bba8f30d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\Updates\16.0.16827.20166\i640.hash

Filesize
106B

MD5
d040fdc85462b75fd70a4b1b774b73a7

SHA1
ec68c13e5de7c339178341def04034c12cbed8c4

SHA256
235b4abf4be53f959bba1cc535904c3c38999b465d34b912cb6c03e0a982fd1e

SHA512
20e9646aa701dc9c144b9a05b0618e9d93e1fda0db6b5f73d027b0acc64838c2461e64bb08f22db09d96546d373aba16a993f97a254ffa8c1ccf7c16654093b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll

Filesize
309KB

MD5
22a0056ffd1c0b3081ca56f441cec3c9

SHA1
81eaaed525b7c714261f840f7cdb5164e45d734e

SHA256
782910b23f8a65ec477f886f7bcbdc67103354af263bd30c0dccabbfbc506ba1

SHA512
72cc4c4625555fd2fb2276a0a062d39ff2ac7b55a212ce6f58fbd7f58ca5a4a0d69e43a7b72bdafa803c84bc400afb5c274e455e5846c83d35d3f9bce88be41b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\concrt140.dll

Filesize
309KB

MD5
22a0056ffd1c0b3081ca56f441cec3c9

SHA1
81eaaed525b7c714261f840f7cdb5164e45d734e

SHA256
782910b23f8a65ec477f886f7bcbdc67103354af263bd30c0dccabbfbc506ba1

SHA512
72cc4c4625555fd2fb2276a0a062d39ff2ac7b55a212ce6f58fbd7f58ca5a4a0d69e43a7b72bdafa803c84bc400afb5c274e455e5846c83d35d3f9bce88be41b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat

Filesize
31KB

MD5
4acd310bdf5b542685f481220db2d082

SHA1
ac05f217263674ab1b8558ba552b8a2e53b3dc44

SHA256
a0790a86b22cab6a915b9add19457f58e450f955c9da6ff7caa48623af402d2d

SHA512
99edd2608feb5d5335459b2de03087fd276d94a91b112da1e72698a2cac7db115bebfb6237a45f1f51a1e8b11d6d34734190f6eb301fbf9936517407f92730d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll

Filesize
557KB

MD5
7db24201efea565d930b7ec3306f4308

SHA1
880c8034b1655597d0eebe056719a6f79b60e03c

SHA256
72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e

SHA512
bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll

Filesize
557KB

MD5
7db24201efea565d930b7ec3306f4308

SHA1
880c8034b1655597d0eebe056719a6f79b60e03c

SHA256
72fe4598f0b75d31ce2dc621e8ef161338c6450bb017cd06895745690603729e

SHA512
bac5729a3eb53e9bc7b680671d028cabef5ea102dfaa48a7c453b67f8ecb358db9f8fb16b3b1d9ea5a2dff34f459f6ac87f3a563c736d81d31048766198ff11e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
1b71e8b9709421c76b340f97307e4672

SHA1
0a8552efbc748a916f6ab1186fda4486a2092a28

SHA256
0cbd195bb0107f6c0019756a0bb2c1c40cc5008472b6b1ee37e38f8bb4ca2fc5

SHA512
668fb7e73580e47fd8a75ed81b15f79944a728d658acad474a431d73e5c2f762881dbf0568e10f129ca7ee3658a3112dc3a79be61726f5d39254985b41e57c00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
0676b6f32c23d163ef119797b97e2f1b

SHA1
0662a2742f951c7bd9debbcd8025a5ebc0725231

SHA256
3f3f4a31dd49e80bbb34c9aa80273b347ecdba2fb887fa3a0f8aba4929f8a74e

SHA512
09ae53dd67b363fe43a78c9e115c9245e72eaf5f6c3179999a6f912576d42de950443b2cc5a21fef3972eed1515c24568379b3527a07aeab488971206f8aea96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\OFFICE~1\i640.cab

Filesize
31.2MB

MD5
d92f92e645eac2e51f05a6d002e7284f

SHA1
4754c3664e49305a15663e9c4c3cf1162a363af3

SHA256
a860b4f66110c3ef4713fcb4266aa582ad2766c389518fe80d1a717c047c846e

SHA512
9a3033662c52ff393d1e8d1419369350222a7282de4407ff4970e4096c4c478c55cc1acceec7d5764f01cf23f200e21c8ad890d8f2d7f11e4de57b0ca807259e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Office.ValidateError.scratch

Filesize
26B

MD5
bd3457e50947d4280734e74b51b5b68d

SHA1
424635c6b5622a6c01a59d290a1c9ab8e593effc

SHA256
23d647979bc5dc186de5ba3e00a222a912ab8e4782eb6407efa70e29e95979f5

SHA512
e83e3615a5e94af288eb1c9b92f55e271765cc43531ec94574371debf63c0c4a58327b6fd8a4775bfba8a3234220cb0396b6d33164309a09a1d826c0689143fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Office.ValidateResult.scratch

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Users\Admin\AppData\Local\Temp\OfficeC2R98092653-D73E-46F7-823A-530D5ED0BA49\VersionDescriptor.xml

Filesize
20KB

MD5
38cbb8a561c37a1a37902967cab426ea

SHA1
8ce8ff662e835dab294ad6f3e11d541944a60f20

SHA256
3196f007b0450f9f2b4b82f61603cade2eaa646c9559a7091e62d9391d02ffc5

SHA512
7ccb0cf35c1df48ec2f7550c2dc65b7c2940230e492da4cee7c4ba4d3bb96f952bcea151109a50f91c85a4d9e206e25df223451682a6b65b7fd4c153c1367f93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kjyqrhha.d5y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2608-31-0x0000000006440000-0x000000000645E000-memory.dmp

Filesize
120KB

Download
memory/2608-11-0x0000000071C30000-0x00000000723E0000-memory.dmp

Filesize
7.7MB

Download
memory/2608-58-0x0000000071C30000-0x00000000723E0000-memory.dmp

Filesize
7.7MB

Download
memory/2608-51-0x00000000077B0000-0x00000000077C6000-memory.dmp

Filesize
88KB

Download
memory/2608-50-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/2608-49-0x0000000006AE0000-0x0000000006AFA000-memory.dmp

Filesize
104KB

Download
memory/2608-48-0x0000000007ED0000-0x000000000854A000-memory.dmp

Filesize
6.5MB

Download
memory/2608-47-0x00000000074E0000-0x0000000007583000-memory.dmp

Filesize
652KB

Download
memory/2608-46-0x00000000069E0000-0x00000000069FE000-memory.dmp

Filesize
120KB

Download
memory/2608-36-0x000000006E3C0000-0x000000006E40C000-memory.dmp

Filesize
304KB

Download
memory/2608-35-0x0000000006A20000-0x0000000006A52000-memory.dmp

Filesize
200KB

Download
memory/2608-34-0x000000007FCB0000-0x000000007FCC0000-memory.dmp

Filesize
64KB

Download
memory/2608-33-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/2608-32-0x0000000006510000-0x000000000655C000-memory.dmp

Filesize
304KB

Download
memory/2608-52-0x00000000069E0000-0x00000000069EA000-memory.dmp

Filesize
40KB

Download
memory/2608-53-0x0000000007A80000-0x0000000007AA6000-memory.dmp

Filesize
152KB

Download
memory/2608-10-0x0000000071C30000-0x00000000723E0000-memory.dmp

Filesize
7.7MB

Download
memory/2608-26-0x0000000005EC0000-0x0000000006214000-memory.dmp

Filesize
3.3MB

Download
memory/2608-12-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/2608-13-0x0000000002E30000-0x0000000002E66000-memory.dmp

Filesize
216KB

Download
memory/2608-14-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/2608-20-0x0000000005E50000-0x0000000005EB6000-memory.dmp

Filesize
408KB

Download
memory/2608-19-0x0000000005DE0000-0x0000000005E46000-memory.dmp

Filesize
408KB

Download
memory/2608-18-0x0000000005480000-0x00000000054A2000-memory.dmp

Filesize
136KB

Download
memory/2608-17-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/2608-16-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/2608-15-0x0000000005640000-0x0000000005C68000-memory.dmp

Filesize
6.2MB

Download
memory/5108-521-0x00007FF87D4B0000-0x00007FF87D4EA000-memory.dmp

Filesize
232KB

Download
memory/5108-520-0x00007FF87E7F0000-0x00007FF87E88B000-memory.dmp

Filesize
620KB

Download
memory/5108-519-0x00007FF87ED20000-0x00007FF87ED35000-memory.dmp

Filesize
84KB

Download
memory/5108-518-0x00007FF638970000-0x00007FF639409000-memory.dmp

Filesize
10.6MB

Download