23631416cd1d76d8b9b1bb014b3f5f96ab7dcb93e60d38fdc1a6896f9245df95

Analysis

max time kernel
427s
max time network
398s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
12/02/2024, 09:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Office 2013-2024 C2R Install v7.7.7.5/OInstall.exe
Size

18.0MB
MD5

816ed6fdf32a6d2ae153be18ebca59e7
SHA1

21264678ebd5c879f269ec60564b653dc1052ef4
SHA256

19b021d9bcf3b0137f2847a3e08826dbc52e88ffe617579b325f14068954db3f
SHA512

a6579f7fad6fdf59855cdba998764474bf408f441a924ec3c1cd1d1e51ac53a72fdbad75dc44bb06659a5fcb12ec239dc9f43cf32fd6ffe9523e57c5f9e6cf18
SSDEEP

393216:+CqFTywoCkhfO/zFXGW/F/P9wXiXzTheCeC/+pWt0Ts:+XFTXRkdObGXYzteWMa0o

Score

10^/10

evasion

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20624/i640.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20624/i641033.cab

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	2668	powershell.exe
9	6132	powershell.exe
10	6008	powershell.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 4 IoCs

pid	Process
1516	files.dat
5720	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
3240	OfficeC2RClient.exe

Loads dropped DLL 32 IoCs

pid	Process
5720	OfficeClickToRun.exe
5720	OfficeClickToRun.exe
5720	OfficeClickToRun.exe
5720	OfficeClickToRun.exe
5720	OfficeClickToRun.exe
5720	OfficeClickToRun.exe
5720	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
3240	OfficeC2RClient.exe
3240	OfficeC2RClient.exe
3240	OfficeC2RClient.exe
3240	OfficeC2RClient.exe
3240	OfficeC2RClient.exe
3240	OfficeC2RClient.exe
3240	OfficeC2RClient.exe
4864	OfficeClickToRun.exe

Checks system information in the registry 2 TTPs 6 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OfficeC2RClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OfficeC2RClient.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	OfficeClickToRun.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-wal	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\OTele\officeclicktorun.exe.db-shm	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A	OfficeClickToRun.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	OfficeClickToRun.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\rsod\powerpivot.x-none.msi.16.x-none.tree.dat	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\PROOF\MSGR8ES.LEX	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\sdxs\FA000000062\CritiqueCategoryStrings.resjson	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\HomeStudent2021R_Retail-pl.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\SkypeforBusiness2021R_Trial-ppd.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\MondoR_Trial-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.nb-no.dll	expand.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\8e28a4618f1d4e0d866ff5af9b270047$dpx$.tmp\4c3b2fcfb85ede4b9dc5321eaef37689.tmp	expand.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\FORMS\1033\RSSITEMS.ICO	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\Professional2021R_Trial-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll	OInstall.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-file-l1-2-0.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\VBAJET32.DLL	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\HomeBusiness2021R_Trial1-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\OSFINTL.DLL	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\PowerPoint2021R_OEM_Perp-ppd.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\Personal2021DemoR_BypassTrial180-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\VisioPro2019VL_KMS_Client_AE-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Microsoft.Identity.Client.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll	OInstall.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.DataIntegration.FuzzyMatchingCommon.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEODBC.DLL	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\sql90.xsl	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\HomeStudent2019R_Retail-pl.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\ProfessionalR_Grace-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\PersonalPipcR_OEM_Perp-pl.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\sdxs\FA000000054\powerbi-32.png	OfficeClickToRun.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\8e28a4618f1d4e0d866ff5af9b270047$dpx$.tmp\ad5fca53bbd42244bcef3782e74e5ced.tmp	expand.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\ProjectStdVL_MAK-ul-phn.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\Publisher2021VL_KMS_Client_AE-ul.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\Personal2021R_Trial-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesX86\Microsoft Office\Office16\NPSPWRAP.DLL	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll	expand.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\ProjectPro2019R_Retail-ul-phn.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\Excel2019VL_MAK_AE-ppd.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\SkypeforBusinessEntryR_PrepidBypass-ppd.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msolui.rll	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\PublisherVL_KMS_Client-ul.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\libssl-1_1-x64.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\1033\MSSRINTL.DLL	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\VisioProXC2RVL_MAKC2R-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\1033\ClientLangPack2021_eula.txt	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\MSTAG.TLB	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\LogoImages\OutlookLogoSmall.scale-140.png	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\sdxs\FA000000070\assets\src\assets\images\[email protected]	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\O365BusinessR_SubTrial-pl.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ClickToRun\C2RINTL.fi-fi.dll	expand.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\HomeBusinessR_Retail-ul-phn.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ppd.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\CONVERT\1033\OLTASKR.FAE	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\SkypeforBusiness2021R_Trial-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\rsod\onenotemui.msi.16.en-us.boot.tree.dat	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\rsod\osmuxmui.msi.16.en-us.tree.dat	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\SystemX86\msvcp140_2.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Stationery\1033\DADSHIRT.HTM	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\VisioProXC2RVL_MAKC2R-ppd.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\ProPlus2019R_OEM_Perp2-ppd.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Mso98win32client.dll	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\OutlookR_Retail-ul-oob.xrm-ms	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\RICHED20.DLL	OfficeClickToRun.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\1033\MidgardStrings.Rollback.json	OfficeClickToRun.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2408	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OfficeClickToRun.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	OfficeClickToRun.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	OfficeClickToRun.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	OfficeClickToRun.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2684	taskkill.exe
580	taskkill.exe
2472	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t\|1707772513"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\all\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.7	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\ChunkCount = "uint64_t\|0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.4	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\ApplicationFlags = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\FirstSessionUpgradeCandidate	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.12	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.9	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.5	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.5	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000057546efadec1204daea25b178affd03f00000000020000000000106600000001000020000000af084ba2c699a7f415d42e509ca30ff66314d5d70f05145944cf14ee4fd0a2da000000000e80000000020000200000002243b831f117d3cc9613fbfe10bd15aac81e64898eeed97489f4810416d0eea6f003000043cb5248ab4e14c68ba5e42d5c9012360fbe442216cc96cffae90e18184ce5b9d08f3d28fc50dc14d1de9ec10108de5700d9bee6d7ba2de9c3d0eccaf9f5d3755a95632dd13a7bd23a197ad4d035ecf7e55acc092b9e23664c5a977477d678db4e96e3a9506cf17703275f2cb9284cb753ea17ba37ed1d3e58fe51e861e1a21f2a5d08992fd605f389714e975b5659bcf9a6a9c834e4c3c6f218e584797c1cd693034fbebd3a8e0c344a1d562393de7d1e91c06daccaf31523bc5b0da4ef9126b6d242747a400774b912c91461c3ee18054a37590f0435997ed757f6322b6627ca7b8cf2588d88fd6aa5cbe4807a81b489c7fd98a877bd26a1f0b25bb5d79f0d6906bb79a9ad9c5f59aa2d5578708b50c2f5d908e1cccc1a4280fd1ddbbeff1f68ac347f09b4e0570448bdc3b91d1bf8099b0a8ba7381ea62068a92b2e8d5ce3e92bcb90ca4724ec06c93cca61ac354829dabf22df640226e76685f58a8eaafc1cdc6a25eae77416ce06f33ab95429ac13cdfa28931447e2ff05db523f64a9789db7c640c7f7d11259db119a67d4aa4ae8994ad78c3342fd2f83572ab4034d629d487c2348c5e208bd1e2c00d2b0413f0d39cfaf2d286237367b082966caa5df16b54a394ff42c688227cf4e5deccd3da6d254f6eff4f7ea5275007f07f8905da3b66fab34c36ae47297529fe1f0c1bf8f5c1b950b33b65ac84b3650925267a50aaac708e01b639f4c84cfa2d7ffef66b88cc03f706bf893f02ca5adc8f4b29bc1502c93c1211395dd00065194e10bfb96a9c491a7c027eb958df496676465f5acce0f096759f0bd457c06775b68fa0c346cf36f3511f1a8b8b69827ec3b7509b6c2b728f615b9855aa2d435bdd9a3e1fa80f225a102c7889ddc5c1c7b43fe9c5bec4afca3cc2493177d35cacd2b67100a742dc63521ae9cc571dd0669ccc816399a515b1af1393a7fbb608a4bd8a582901b15a5a051b236e5ed6f08515d938e1eba16be6960b9b262c6feb9fa0e04a9f9f52782187de9c5bea38420521e6587910284978c6328d06cb1daa9b578b8df094a5ba771296bc49c0158e09281f7af586c0c64964fa427fd54d9c5afe28aeffcc2127aa5f78166a149d4f3f692aa15f99c5d64b891a4c2a5e2f4aca62aecb11e4fe0d298fe1135193ff0d76664991c273cae3ff98323b11d266f6df1b131f594f4b713a6b90fb8c2190dd9fc6322f5720956541b6c1ebad5da51a8f4eebd9423242e15a54db5e5b7683c58a5216d830c055cb34f9362a043293f9200001796bd147474d30ca2be8f3897b64bc34c839d31ddd41dc9090f7f8be5c477020d480639770a3607d81cb9f1926c30487bf9f1a191c4f89e99f13aad22ded61271473fe83f5fca382ac8cea1fa1ef1f75e91ab022ef159fa2e59cfc86664718427cf40000000b039c193387c5fc874e83c4e32b4a97ba7e39b43a16b165dfa2155bf5b09da267931266621c1f58414585fd2d100e01267440183005b4a4a3e40658b0c85e323	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.6	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.8	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.3	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	OfficeClickToRun.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\Immersive\production\Property\0018C00CEB251E61 = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb0100000057546efadec1204daea25b178affd03f00000000020000000000106600000001000020000000b02f6448ae5c0941a93057a2bd89d2034e7bd50121a26c226cbb7c7ed5b8a959000000000e80000000020000200000000719564b1d0eccb0ea921c539b10ab3606e122400057184849805500c6ab976b800000003ac3916cc8c4cdbb0c47a3296f6aa54bf0b34d2dc6ef7ca039ca7fa3e994070e8005c3acbae3a2c9e99f34a82b6db7048533b47cbe1aef99f26fc2ba4360f70d8e54c15b7c1d76079ac577677681a9cd8e080df10b98cbe952a4ffa4eb8f0b4d82c7666c730e1ac3a6c2ff2ed1b0f0372d4e2492eb5e0863e082192a0f48c7e9400000007b809d1818505eb68d5b2551d30b9f74ce2bb0fe101ea93179bbd3861efcd65f7701422591b23d840c5f14cf6dd0cffaf31a6019649dc3b586256f0b121ed41d	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\Expires = "int64_t\|0"	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.11	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.3	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\officeclicktorun\Overrides	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\Experiment\officeclicktorun\BuildNumber = "16.0.14332"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.11	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\DeferredConfigs = "std::wstring\|"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	OfficeClickToRun.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.1	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\VersionId = "uint16_t\|0"	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\Common\ClientTelemetry	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun	OfficeClickToRun.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ConfigContextData\0.12	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentEcs\Overrides	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 50,1329 10,1329 15,1329 100,1329 6"	OfficeClickToRun.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\officeclicktorun\ETag = "std::wstring\|\"L+eaxsHVJGnsMod4A7txssWF352XqrLPMExJ5+ccKT4=\""	OfficeClickToRun.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	OfficeClickToRun.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2201820139-2432375203-2549035866-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4936	reg.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3984	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2668	powershell.exe
2668	powershell.exe
6132	powershell.exe
6132	powershell.exe
6008	powershell.exe
6008	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4696	OInstall.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2220	WMIC.exe
Token: SeSecurityPrivilege	2220	WMIC.exe
Token: SeTakeOwnershipPrivilege	2220	WMIC.exe
Token: SeLoadDriverPrivilege	2220	WMIC.exe
Token: SeSystemProfilePrivilege	2220	WMIC.exe
Token: SeSystemtimePrivilege	2220	WMIC.exe
Token: SeProfSingleProcessPrivilege	2220	WMIC.exe
Token: SeIncBasePriorityPrivilege	2220	WMIC.exe
Token: SeCreatePagefilePrivilege	2220	WMIC.exe
Token: SeBackupPrivilege	2220	WMIC.exe
Token: SeRestorePrivilege	2220	WMIC.exe
Token: SeShutdownPrivilege	2220	WMIC.exe
Token: SeDebugPrivilege	2220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2220	WMIC.exe
Token: SeRemoteShutdownPrivilege	2220	WMIC.exe
Token: SeUndockPrivilege	2220	WMIC.exe
Token: SeManageVolumePrivilege	2220	WMIC.exe
Token: 33	2220	WMIC.exe
Token: 34	2220	WMIC.exe
Token: 35	2220	WMIC.exe
Token: 36	2220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2220	WMIC.exe
Token: SeSecurityPrivilege	2220	WMIC.exe
Token: SeTakeOwnershipPrivilege	2220	WMIC.exe
Token: SeLoadDriverPrivilege	2220	WMIC.exe
Token: SeSystemProfilePrivilege	2220	WMIC.exe
Token: SeSystemtimePrivilege	2220	WMIC.exe
Token: SeProfSingleProcessPrivilege	2220	WMIC.exe
Token: SeIncBasePriorityPrivilege	2220	WMIC.exe
Token: SeCreatePagefilePrivilege	2220	WMIC.exe
Token: SeBackupPrivilege	2220	WMIC.exe
Token: SeRestorePrivilege	2220	WMIC.exe
Token: SeShutdownPrivilege	2220	WMIC.exe
Token: SeDebugPrivilege	2220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2220	WMIC.exe
Token: SeRemoteShutdownPrivilege	2220	WMIC.exe
Token: SeUndockPrivilege	2220	WMIC.exe
Token: SeManageVolumePrivilege	2220	WMIC.exe
Token: 33	2220	WMIC.exe
Token: 34	2220	WMIC.exe
Token: 35	2220	WMIC.exe
Token: 36	2220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2436	WMIC.exe
Token: SeSecurityPrivilege	2436	WMIC.exe
Token: SeTakeOwnershipPrivilege	2436	WMIC.exe
Token: SeLoadDriverPrivilege	2436	WMIC.exe
Token: SeSystemProfilePrivilege	2436	WMIC.exe
Token: SeSystemtimePrivilege	2436	WMIC.exe
Token: SeProfSingleProcessPrivilege	2436	WMIC.exe
Token: SeIncBasePriorityPrivilege	2436	WMIC.exe
Token: SeCreatePagefilePrivilege	2436	WMIC.exe
Token: SeBackupPrivilege	2436	WMIC.exe
Token: SeRestorePrivilege	2436	WMIC.exe
Token: SeShutdownPrivilege	2436	WMIC.exe
Token: SeDebugPrivilege	2436	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2436	WMIC.exe
Token: SeRemoteShutdownPrivilege	2436	WMIC.exe
Token: SeUndockPrivilege	2436	WMIC.exe
Token: SeManageVolumePrivilege	2436	WMIC.exe
Token: 33	2436	WMIC.exe
Token: 34	2436	WMIC.exe
Token: 35	2436	WMIC.exe
Token: 36	2436	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2436	WMIC.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
5720	OfficeClickToRun.exe
5720	OfficeClickToRun.exe
5720	OfficeClickToRun.exe
3240	OfficeC2RClient.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5720	OfficeClickToRun.exe
5720	OfficeClickToRun.exe
5720	OfficeClickToRun.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
488	MiniSearchHost.exe
5720	OfficeClickToRun.exe
4864	OfficeClickToRun.exe
3240	OfficeC2RClient.exe
3240	OfficeC2RClient.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 2180	4696	OInstall.exe	76
PID 4696 wrote to memory of 2180	4696	OInstall.exe	76
PID 4696 wrote to memory of 2188	4696	OInstall.exe	78
PID 4696 wrote to memory of 2188	4696	OInstall.exe	78
PID 2180 wrote to memory of 2220	2180	cmd.exe	80
PID 2180 wrote to memory of 2220	2180	cmd.exe	80
PID 4696 wrote to memory of 2116	4696	OInstall.exe	82
PID 4696 wrote to memory of 2116	4696	OInstall.exe	82
PID 4696 wrote to memory of 5704	4696	OInstall.exe	84
PID 4696 wrote to memory of 5704	4696	OInstall.exe	84
PID 2116 wrote to memory of 1516	2116	cmd.exe	85
PID 2116 wrote to memory of 1516	2116	cmd.exe	85
PID 2116 wrote to memory of 1516	2116	cmd.exe	85
PID 5704 wrote to memory of 2436	5704	cmd.exe	87
PID 5704 wrote to memory of 2436	5704	cmd.exe	87
PID 4696 wrote to memory of 2668	4696	OInstall.exe	88
PID 4696 wrote to memory of 2668	4696	OInstall.exe	88
PID 4696 wrote to memory of 2668	4696	OInstall.exe	88
PID 4696 wrote to memory of 4144	4696	OInstall.exe	93
PID 4696 wrote to memory of 4144	4696	OInstall.exe	93
PID 4696 wrote to memory of 2056	4696	OInstall.exe	95
PID 4696 wrote to memory of 2056	4696	OInstall.exe	95
PID 4696 wrote to memory of 4876	4696	OInstall.exe	97
PID 4696 wrote to memory of 4876	4696	OInstall.exe	97
PID 4696 wrote to memory of 2448	4696	OInstall.exe	99
PID 4696 wrote to memory of 2448	4696	OInstall.exe	99
PID 4696 wrote to memory of 6112	4696	OInstall.exe	101
PID 4696 wrote to memory of 6112	4696	OInstall.exe	101
PID 6112 wrote to memory of 3984	6112	cmd.exe	103
PID 6112 wrote to memory of 3984	6112	cmd.exe	103
PID 4696 wrote to memory of 4936	4696	OInstall.exe	104
PID 4696 wrote to memory of 4936	4696	OInstall.exe	104
PID 4696 wrote to memory of 3120	4696	OInstall.exe	106
PID 4696 wrote to memory of 3120	4696	OInstall.exe	106
PID 3120 wrote to memory of 2408	3120	cmd.exe	108
PID 3120 wrote to memory of 2408	3120	cmd.exe	108
PID 4696 wrote to memory of 2684	4696	OInstall.exe	109
PID 4696 wrote to memory of 2684	4696	OInstall.exe	109
PID 4696 wrote to memory of 2684	4696	OInstall.exe	109
PID 4696 wrote to memory of 580	4696	OInstall.exe	112
PID 4696 wrote to memory of 580	4696	OInstall.exe	112
PID 4696 wrote to memory of 580	4696	OInstall.exe	112
PID 4696 wrote to memory of 2472	4696	OInstall.exe	114
PID 4696 wrote to memory of 2472	4696	OInstall.exe	114
PID 4696 wrote to memory of 2472	4696	OInstall.exe	114
PID 4696 wrote to memory of 6132	4696	OInstall.exe	116
PID 4696 wrote to memory of 6132	4696	OInstall.exe	116
PID 4696 wrote to memory of 6132	4696	OInstall.exe	116
PID 4696 wrote to memory of 3844	4696	OInstall.exe	118
PID 4696 wrote to memory of 3844	4696	OInstall.exe	118
PID 4696 wrote to memory of 3844	4696	OInstall.exe	118
PID 4696 wrote to memory of 6008	4696	OInstall.exe	120
PID 4696 wrote to memory of 6008	4696	OInstall.exe	120
PID 4696 wrote to memory of 6008	4696	OInstall.exe	120
PID 4696 wrote to memory of 1260	4696	OInstall.exe	122
PID 4696 wrote to memory of 1260	4696	OInstall.exe	122
PID 4696 wrote to memory of 1260	4696	OInstall.exe	122
PID 4696 wrote to memory of 5720	4696	OInstall.exe	124
PID 4696 wrote to memory of 5720	4696	OInstall.exe	124

C:\Users\Admin\AppData\Local\Temp\Office 2013-2024 C2R Install v7.7.7.5\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\Office 2013-2024 C2R Install v7.7.7.5\OInstall.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:4696
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Office 2013-2024 C2R Install v7.7.7.5\OInstall.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Office 2013-2024 C2R Install v7.7.7.5\OInstall.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- C:\Windows\system32\reg.exe
  "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows Script Host\Settings" /v Enabled /t REG_DWORD /d 1 /f
  2⤵
  PID:2188
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Users\Admin\AppData\Local\Temp\Office 2013-2024 C2R Install v7.7.7.5\files\files.dat
    files.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    PID:1516
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Office 2013-2024 C2R Install v7.7.7.5\files"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5704
- - C:\Windows\System32\Wbem\WMIC.exe
    WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionPath="C:\Users\Admin\AppData\Local\Temp\Office 2013-2024 C2R Install v7.7.7.5\files"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2436
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -nop -command "& { (New-Object Net.WebClient).DownloadFile('https://mrodevicemgr.officeapps.live.com/mrodevicemgrsvc/api/v2/C2RReleaseData', 'C:\Users\Admin\AppData\Local\Temp\ver.txt') }"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:2668
- C:\Windows\system32\reg.exe
  "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v KeyManagementServiceName /t REG_SZ /d kms.loli.best /f
  2⤵
  PID:4144
- C:\Windows\system32\reg.exe
  "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v KeyManagementServicePort /t REG_SZ /d 1688 /f
  2⤵
  PID:2056
- C:\Windows\system32\reg.exe
  "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v KeyManagementServiceName /t REG_SZ /d kms.loli.best /f
  2⤵
  PID:4876
- C:\Windows\system32\reg.exe
  "C:\Windows\Sysnative\reg.exe" add "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform" /v KeyManagementServicePort /t REG_SZ /d 1688 /f
  2⤵
  PID:2448
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c regedit.exe -s C:\Users\Admin\AppData\Local\Temp\newui.reg
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:6112
- - C:\Windows\regedit.exe
    regedit.exe -s C:\Users\Admin\AppData\Local\Temp\newui.reg
    3⤵
    - Runs .reg file with regedit
    PID:3984
- C:\Windows\system32\reg.exe
  "C:\Windows\Sysnative\reg.exe" add HKLM\Software\Policies\Microsoft\Office\16.0\Common\OfficeUpdate /v UpdateBranch /d PerpetualVL2021 /f
  2⤵
  - Modifies registry key
  PID:4936
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /c sc.exe stop ClickToRunSvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\System32\sc.exe
    sc.exe stop ClickToRunSvc
    3⤵
    - Launches sc.exe
    PID:2408
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /t /f /IM OfficeClickToRun.exe
  2⤵
  - Kills process with taskkill
  PID:2684
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /t /f /IM IntegratedOffice.exe
  2⤵
  - Kills process with taskkill
  PID:580
- C:\Windows\SysWOW64\taskkill.exe
  "taskkill.exe" /t /f /IM OfficeC2RClient.exe
  2⤵
  - Kills process with taskkill
  PID:2472
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20624/i640.cab', 'C:\Users\Admin\AppData\Local\Temp\over219349\i640.cab') }"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:6132
- C:\Windows\SysWOW64\expand.exe
  "expand" i640.cab -F:* "C:\Program Files\Common Files\Microsoft Shared\ClickToRun"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:3844
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e/Office/Data/16.0.14332.20624/i641033.cab', 'C:\Users\Admin\AppData\Local\Temp\over219349\i641033.cab') }"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  PID:6008
- C:\Windows\SysWOW64\expand.exe
  "expand" i641033.cab -F:* "C:\Program Files\Common Files\Microsoft Shared\ClickToRun"
  2⤵
  - Drops file in Windows directory
  PID:1260
- C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
  "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe" deliverymechanism=5030841d-c919-4594-8d2d-84ae4f96e58e platform=x64 productreleaseid=none culture=en-us defaultplatform=False lcid=1033 b= storeid= forceupgrade=True piniconstotaskbar=False pidkeys=KDX7X-BNVR8-TXXGX-4Q7Y8-78VT3 forceappshutdown=True autoactivate=1 productstoadd=Standard2021Volume.16_en-us_x-none scenario=unknown updatesenabled.16=True acceptalleulas.16=True cdnbaseurl.16=http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e version.16=16.0.14332.20624 mediatype.16=CDN baseurl.16=http://officecdn.microsoft.com/pr/5030841d-c919-4594-8d2d-84ae4f96e58e sourcetype.16=CDN displaylevel=True uninstallpreviousversion=True Standard2021Volume.excludedapps.16=publisher,groove,onenote,onedrive,teams
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5720

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:488

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D0
1⤵
PID:4344

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4864

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe" /progressandlaunch AppTargets="root\office16\excel.exe|root\office16\outlook.exe|root\office16\powerpnt.exe|root\office16\winword.exe" ManualUpgrade=False ScenarioToTrack="Scenario:{477E0208-58BD-4F33-978A-09BCC9AA9EB1}@INSTALL"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\APPVMANIFEST.dll

Filesize
985KB

MD5
b992640abf4ea6cdac53d8b38076f845

SHA1
ed480fe74fb663e0192098c99a822022b380481c

SHA256
f945dddd970b1bd95c6f713f3a1797a2f0772bbaaee0803f43e39fd748d4502a

SHA512
a3b1beef8df9a0f14eda0cd6d01895bd17c346fd930284806cea6657b3c73df8899c699484742a45753dc0cd85b4b92e7e5b6d31b4f94ccc9865959f28fbc0d9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\APPVPOLICY.dll

Filesize
512KB

MD5
79264edc89e095e9f2c04050dbfa2a7c

SHA1
e601a32e5038bed68919469ab7225d6cf7e8d6b6

SHA256
c3a994caa2018ffad29ab032cf6cb475fbdc8b5932fbcbfa545742522eaba3ee

SHA512
6c21daa37cc8ad02b17eff74d941acf76ca0332a04060628f6bddf6474bce3d44ffc363b114492597d4dc673fffb66a10a0468ee002fcd9ae876d17580a147a0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVCatalog.dll

Filesize
576KB

MD5
e5b3d98ea96da8f4747090a5d641785c

SHA1
acf6800db2b78a8f20f232186b10a48f5975ca86

SHA256
176b4cc8424338b0b51129c348af063002a90e754bc6f75913fb17481031561c

SHA512
5080433e476d5d3b396a41196fa0e59d18cd790388927662409ccb99c4168da11f29b96a97829e6ad486c508a1b84d0de0252471a70794fb164f03bc218e9303

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIntegration.dll

Filesize
448KB

MD5
f540c0a8730079ffc4d140514db96117

SHA1
144319e8b82e7e6d86b0e8cc82476b71eab712b9

SHA256
3f0527c1bafd508075323e31b5bd238fa8772843090db2e1f3fd4c3b38a424c5

SHA512
b7b065ab2e4aeb3f66402661a466f41ff39a405cb385f0469140e543260f50530ed691d6d9ae4fb9a06e11a2c8ed899b4a4ce176664e1fe42e388b12b9e54ca5

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvSubsystemController.dll

Filesize
128KB

MD5
f7125159a0330419fc2d54b482b05f98

SHA1
170e0c82705f1d0e7ddebedb2bdbb5848a3d76e7

SHA256
0895a7d9a746207c72c689521b796b6563d14fc84d4da0009bb036634176eece

SHA512
4267164d7fe8bc201874fa44ba7f75900fa156b2a8e98d691b22928febf908480b1f47fe8c175fa78e567aa544ead2e5305c6dd311cab7a4d4239bb074b7b0d9

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVIsvVirtualization.dll

Filesize
569KB

MD5
15f5792844af082587747a09f1123a0d

SHA1
558999ff58818971f96dfff4f433afa596794ba7

SHA256
e5188cf139c4af572588fe794b7392479a0bf59aef86666a0a22db121e41da9d

SHA512
7de7f740bab5dcafb9f502853963547c7e50993404535dbcd39b88a586a2bf31b50f1eebe4682ee5fa458a00948af44dc104daa0b595c2c02d6901a81beab24f

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\AppVOrchestration.dll

Filesize
829KB

MD5
ddc59d3df358f9372708531b977848c3

SHA1
e1a0f9b58dc5579bbd5845bb6d3a7da3b5d8b7da

SHA256
fedc8cf10ab72e7a0ec3a493356157028fe16d2ae97f73dead28fffde1b7c935

SHA512
4b75fe159eeadd71fea2e3b569796ce547808bff5c183d271e3d2aed7ef11311121f7ec768bcbc1c0354b771f971aa2b46836a8a6c2b0c1d2f8b21922943dbd3

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\IntegratedOffice.exe

Filesize
384KB

MD5
e030a0d821d826650affde170599dbe4

SHA1
1439b0200199b256c4ce12dd6b4b7127e53e63ee

SHA256
bf7439a0611a6c287562cc08c9d1b373f4bdbb0be78670cfe8299ef057d778e3

SHA512
1ae22fbc4c457b3eb275e6d7b281edf5ea0eaf1ad58173752a14710c6839a9679147ff399e51a1e748e7b748a9bb90ea91bd0413aa814180a9c6c9dfb436fe15

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\MSIX.dll

Filesize
704KB

MD5
02b8d2797219ceeffa68260a4ca6323f

SHA1
73a7b860b86c7dc21a809e749392422ce552e3cd

SHA256
369c6c69b64e9ba5b6a846f47655bcafe3173a7790223cfa0686824bbbf13582

SHA512
50ea9645a565f330b693ab0c17bca02256230b2dd1612f4e36908c50f9fadbe0a649ee420e1c505c638620e42975c583f182aa8f662a9f3e538e35a04efdf250

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe

Filesize
5.6MB

MD5
f5f92c2979dcae886fcea7cbe4a53c61

SHA1
66038933046c8df4787c971ee07be1be1858a6be

SHA256
3b4e224d809e0f99e262d89c8d9188aee3b6922df83c07ae490c99d45f6d945d

SHA512
341b696bda5b5f9f158adf2ae412752e800b52f95193a0a15d14df44c63565278b5e1469cf6e599cac29026fd5605500c2a80f0385701a3202b4b9f7fa6a08e0

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\StreamServer.dll

Filesize
960KB

MD5
67a9875732272c9cf174870858294c1f

SHA1
1322e9e3dd46971c06ee7018b95efa2a6851a454

SHA256
71c54f2335f4501219476b4f363eccc41bccc08bc952e4afb022c364d9d6bda7

SHA512
82d0197157b46999e96b4e201c8bf82e05550bfc042a397b84d4cab85aae73e52aefb0b90ed10a02e41faeb0f12cfa9e3fa9d8b63fccb208ef42469aa7d74b5d

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\appvisvsubsystems32.dll

Filesize
448KB

MD5
51bcb01b64ff74ccd0e88ff711cb21ef

SHA1
6a109940acda819bda2ad7df202050033b6d16af

SHA256
7a544c01bd95c33b53ca89c5618e10d4de87d626ea7d3dc21694814cc51a1149

SHA512
d8b665d912521e6cd4597c9c318d05264a019e5a46ffdb8214ef9e3d122d88d215b7e34f112a77621bbd6160db699e39ea54309ec3565bef9c7da4462436c7ff

Download Submit
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\repoman.dll

Filesize
896KB

MD5
09b77bec15a6b41f318d39bccc7197c1

SHA1
a5a8517a33aa9c616aada9075393618cda1f4806

SHA256
da481215a74da6d6098b2d3e74e2026a462fa4dae20db09bfdc2bb4c64931728

SHA512
c36f0a1e583f365c506abb01ce7a51b45935affab6da25c5fc48038a2a214ee60c3ff908e9f16a3cdd2e6b56b785a13943b180369e111b2b17b518afdcd3bec4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\ApiClient.dll

Filesize
229KB

MD5
cc2b3930ea10d482dfa35233adb38bce

SHA1
d7243b76955e18f0b43632fdce3e3fdb21226d85

SHA256
d97d46b602bc3b9187a3aa80e13ce7c1ca6cdd6d3ad9e5f8c56448681055b46e

SHA512
ee5dc4ad9d2168964b8e61eaa7edbeac6cef83d24e00fb5af9e783607c56186ac161907cffb1ad2c3e0d1a24b2cd81421bb12e2a647f93ce087253ff7897b739

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVCatalog.dll

Filesize
512KB

MD5
961c2962f9b6a0ceb97137e4b2ca4237

SHA1
327e6b30102d47dd0bb30cd14f40440a4450cdf4

SHA256
d845ab1454e663788302ed997be7f904515fa5e8013618ea7c9b4ed37080c56f

SHA512
be923ba6d694a41be3f895529c866dd79d5482e8c1d9a7fcaaab099a0dfe5fdfe44484a7a9e50e98747324f7fcf8206ebdf05a107182c09d1c3176fb7ea26c65

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVFileSystemMetadata.dll

Filesize
296KB

MD5
47df99fe851db855c5507328f660dcf5

SHA1
195a33f0b91d6fda50d48c98c8e9bbfacfbf331b

SHA256
15646e0312a8ac15305efb382ce658ca37e6d4e4b73f93387589fd1d8139e3db

SHA512
5de2564d67dbf37ec38d40ac3b2d11fae4318744655941a763a514ed35d38fdf55694852789ca98d9e11c9ead5f997f8091d1413e20d511aba9aef1f8c46d5ea

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIntegration.dll

Filesize
320KB

MD5
43e315a560a2be4a293914e8b91fae57

SHA1
a1d84d698deb5d48f3d8098d867dd5a36b8d4077

SHA256
83f48693f1c9225fb627bc3b50f9e347039912622452c66fc2b07b97b98b8ff4

SHA512
df91c49e2f78d92aff300693820d95293c2f1a6f4b4d2a8747fe679d25f6f7117aed1bf447f7936cf6e316dd336752480b4bfadb8d9b65121e4f8d6fabd1642f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvApi.dll

Filesize
404KB

MD5
fc0e1d121cdded19e7b98cd995bde281

SHA1
102ebe6eb24cf598d559b305423b38896a8208cc

SHA256
7ccc472997dc3d5080cac6918bbd7ba172a4e674f59b5721e7487cd9b101d64d

SHA512
7077503a5265554f85364744385c4db557cc87f3540688f661c3f139e94cf107ceb2fdac51235a92030ce9dc19a411326ac720ff0925d9d28894afa4b3a0989c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll

Filesize
188KB

MD5
4d3d26e3dee4398c1127903171ceb1c3

SHA1
95e316fe28d10ab358eaf71cc1bc66e3912d55a0

SHA256
3f54dc6589030ea96e0022e2a36624d9f8aba31a0940db4f2da3773739f5fd3c

SHA512
7241f433e9c970d16658fc3498235804de128564c7be25afce9c3d75d14000e738a9cc8de343c339f47144f243250eb8918f4ddaef783fae1b0dae0a1d5bcb45

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystemController.dll

Filesize
640KB

MD5
b8ee7925947b6172e328b285b4402a0e

SHA1
5ae358772c0fd21f181357775e3e17fcd784d5d1

SHA256
54618ee410230af5af5172afbb4b54368623d0ff41f79f116d04c51708b3e650

SHA512
d5d58044db7885caa7f2cdd48c35a7c8284b8fe1b5798cd0141a82e43c2b1fc44594528fb23407198422dcf4f379c9d34e653afa62d7148a32c8892e62815d79

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll

Filesize
448KB

MD5
35b8fdd66634fa33a0232b60bebbd3cc

SHA1
0280b1b73ec069020722e0b3f693f59978a43ff8

SHA256
6ed704a3e82f0021dfb334c518c0b6e613f0106f5db29c59b1318d5c5a528088

SHA512
970f07fb0c74c58b6f578964ba5220c9d4843ec092fd804393290f522d051ca6a28d9a06c79396555f239439db0e6d76cb6b770bf9c8fabd9a06a1f65f54c258

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVManifest.dll

Filesize
704KB

MD5
ae90b2bf800eeb54b679ad8c2bb0f5c0

SHA1
8390b9bdf647df24fa7916c7e12506863e109054

SHA256
8303a6f8e40961d8770439a250cdf5f4d318a2f3d2744a978af5aa2e40559ab5

SHA512
111024916ca5155fb9f6a5ced86440c3d24e93d978d79a75a84654d18d43364e99b7d9510909be9cfcc668dc3a15fee7b86f0a63b52a14ae6fa1c0c284c0153d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVOrchestration.dll

Filesize
448KB

MD5
f2a027c4d7634a9d6b291fd299fb95c4

SHA1
51a5c989988d99d3854e4710acb9751980525d07

SHA256
cd65706068936538ea83fa118df851b5519e020a7eeebeffc198f2debbe383b8

SHA512
b22f25f97c2c73b625a9fe0e41af01c8357805fe3ae6fcf53d10169fb58fac81ca766f5c07437fd4fb466df5688d3d510f3396cbf68c9f346ac73921566ef5f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll

Filesize
1.0MB

MD5
20ae1459b18c035d187ebd44d6fe23c2

SHA1
9fd7012e099ab2c8a39341e7260f050e6c997a6d

SHA256
f694caa849ce8b91e5ff374af38c8fc13af15b477b6f3401a13056da11d6f818

SHA512
978ab47b667ca96cb16c02a19692433d1dd46f1209a4fc17e6ebab026b3a665b98298ef1df877faf77d3fd460f052da80c2e6d1ed40cbcb2da97bb648700e585

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll

Filesize
45KB

MD5
ba4c813c99e76e39b23cb0cb279b06ce

SHA1
2bed65a5d185d23a88cbc73bd0f69b85192f6cf8

SHA256
584f945ce122396e1efcfc64e3703b694c22c7ff60c3431895ec69afc4097029

SHA512
f605dff3e61041548ce7e539544a36515a5ff041dcfe14f781a889e7b1b1bd53af590395716ce0d46cb24d4e355eed4692216998cea68a4bde2b0735823b25c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll

Filesize
307KB

MD5
51ba257a39ad7d251582f23d7842d457

SHA1
9ed4b35fc5629aaeab29402c7248e3f2250223bb

SHA256
5ad910326de3fec8de0b04dee81e7abe5deb87ce8272c032d4a261caff146419

SHA512
a703c45ce887c64346798eb74cd2b9b9dafb1bc0edc4fabdf7a43d5d213287e6d722af0c7dfda28b85af3e921db9fa499e2221a7ee0f412ae1c51f0ee76df4e8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll

Filesize
3.0MB

MD5
67bc7fa8d3a9c44299e61680ddb91e7d

SHA1
e0afa434a2b95542bac1b506a2bf5af1202ec1d3

SHA256
0c2adec9005b49a834343b97af6ad2fcf0aaad0d6aac833db786c18d044752ab

SHA512
9591df3776ef03c07a9205a6749bdc6c812364c2cbe557e3dad886aa01f4dc653a0cb1c767adf090976b4c3044ae9f2734087c8b4cd5e2f3b1f409237bab16f3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MSVCP140.dll

Filesize
384KB

MD5
bc192d7acfcce3c6a21ab3f293a821ed

SHA1
ede0ba824697330dd99d6afb1614e0afbad34a69

SHA256
0b0623bb34bc6bf230a1f9e4dbb8dfcda1597b812b47af8b8b09882116be8c9f

SHA512
6c4d973cab0c84279c8b0aa1b7107cf0f08922f69781e31ac08f2dc82fa15c9ea151aca1fba9c7b7ac0fd0e3c9fcfb0805b468f5500cb4166b2064cbb59ff681

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
5.1MB

MD5
d0c2a4f7b39c05902f17163550e60566

SHA1
ccf55af75034ae38ad147d70b673b69de57bed96

SHA256
5f9ad357e536cc5f7443cad80c8cd81e8aed0b9ec46b038b36c139b859826286

SHA512
ed204990a10864fb6f44f28d892f838263570449042c01d7cda225e0ec6f0e8131349867f861aefaa1e1a91afdeb1e9ec95eb54a350b56cf3fbd1f327b50dfb4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

Filesize
2.1MB

MD5
3c80db6b832803184cbee03d1f2048b3

SHA1
66f9fa80c81cff9014cceb5edc3621241d57c7a4

SHA256
4848bc79cabd0ea2222b0d308b2f161a3f1c82244ada6a478725fa84a32f51bd

SHA512
a696050814e6a8e7abd1ed1d3b011e34f50c39035125b5b019aa9fde33d436b24e45be640beca1e4953f7e227415997ea5975bebb994622a9011da34721a5db7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

Filesize
506KB

MD5
260ba03df1cbaeb187da2fbdac8c196e

SHA1
6b52faddb225da33169a68d3da3f1a5de72bb2da

SHA256
b25aca2840b6f19a62a9877b7366f7bf6928887b71efd533f5d8e0dc7d2fd9ce

SHA512
8b3ac89fc9e238f168170eaaab5e9238f7559e0969c893515c9bc6fb7f16e7aacb6bf77ab197a5fcf338449fcd43ebccb0a01db11a4a0b027c1bceb3f7677ec7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe

Filesize
3.1MB

MD5
ae7af4a29c816b6d442fb653001cc8e5

SHA1
01d23f26a71a6c51824f480f1399d3d12ce6dd7c

SHA256
68eb0996beaf0546fe47bd82821cd1915a40545c0186ad84677c97c9df35d443

SHA512
81184ba1f83c8ccef2c575a5b8326e0a6352b2dc5cf02e8e6aa9e0be8deeb9740e5aaf7f5ddffa9ca77f616e95a4c139fc613aa75bd0dfeef623e4a980bbc337

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\RepoMan.dll

Filesize
2.2MB

MD5
479e0372ce20cc39e978056e66c7052f

SHA1
319c3fcbc724ca5a4005bae5a0ba02af6a343b47

SHA256
aeb20c12ec84419945287807c64ea7eb40e2d385df485526466add7408acd0d6

SHA512
5009f96bdeca9fb151c2c4b7e4ad39399d05466ccfdf406cfb300bbb366d8f4634c2303bb4fda27eef09f9a31122b69af8b63af12e7face9f515128d1f62d545

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll

Filesize
2.9MB

MD5
588e60457ab1b97af6807799af5351fe

SHA1
5c6e4257bffe73cdd4613d0d3f35bc8109b26d1b

SHA256
c75f8263fa36fd312e0474a59f1ddcc435f16a55487130a1ccb2310b3b7b9f80

SHA512
ce552c0ca90db663daa15c82beec7a5e75fe5ddc7a09e28909838ea5b21e8fe518c3cd630b49b4e192ffdc2d74a72c55cb9f45f0588ec96712f6872b6678a7bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\msix.dll

Filesize
1.9MB

MD5
55a1a3efbd1f697fe5903ce2efb73f78

SHA1
7ff12f4869edfeb9c080d3a66122ad3c59d4b064

SHA256
93d65aee85ed4c61b2f7d2b22e6fe05a195358baa10019df0816de6c5c6b1d8d

SHA512
18b9bedf6d287bc9c03b457db2cd7d1c8f54418f49077f139c14bbb0502c59b89ad2a1d38c2125a5f0c8e35db597623c4a1447b31cea8e703e19759626916622

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp140.dll

Filesize
550KB

MD5
c15a199252046e54b2447ac8a23a4f5f

SHA1
f9d6fc729ff7f03494a5f1f51b9693a7df689a7b

SHA256
18bc3e55806b676abbc598d1a4331b80ef4a7931101683b5080d0194a47e67cf

SHA512
0505ec128700604ed48c8bd385eb5e158d58ddc0e5f85f31424e96ac101e163bf3f344a8f1c3820bf63e63b18ee9cf0899f50c0b41b2dfd53e5d227a7aa4e855

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140.dll

Filesize
93KB

MD5
845a3a6471fb853d0d218518e4c48f8c

SHA1
ab4bad2575ab028b0cba13bb445e3c6dd965fb13

SHA256
48140e727d1f2438f4fab1e08632ba9c5c928b6c1a4584758391a4fe9d7d978d

SHA512
f0a13125a1e1904a9c2483295bd770106485dc1f31bbdb7d3f11ed48d9f7e8282ab46a070f57c82ef19c933608ce29abf6ef5744a61ed608b6026504194ce19f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\vcruntime140_1.dll

Filesize
35KB

MD5
6feeb6ba00dfee9cf3a2e4c6905af7f1

SHA1
5f7a7a74f9a7de8a344299bf966c0723da26a056

SHA256
092e91d8b179ce00c2a139afed85fc478632841e906e44b7ec2fb67268f5aef5

SHA512
a008c0df0796067fac98cf04dd2c2ef7e7b0c7248f92f6fb7c346ad77b72d45c60347f7cb974a81fd311408ba74822230f9b1a248ab1b4b06c54c13372d2bb4b

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

Filesize
576KB

MD5
7b16cace87ee4138ceb628eac20f377a

SHA1
26f813496ba96f5ae0081c855998903910e2fb70

SHA256
1959bf4454088ee23b123af61bc8e819233c087f7bfcd461bdf302f910b13ac3

SHA512
93e9a2cd46f9edd120bc223d2772dd9509ca5ee6829f5958654e5d18c5f3a68df329eee460ffd5f7b6abfa1dda4bf9fc5eb69ec5d0b21ce5f62f395811ebddcf

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Client\AppVDllSurrogate.exe

Filesize
192KB

MD5
3d25087a765372f02c50aed534c2de18

SHA1
676080a7b55a90bbf70e7e3ec349e27b669cfc93

SHA256
f7fe5ca1862bfaf62375034bf99a88de8d6788aebde1dfad020d660acf9816af

SHA512
6634e80073ebb3efdc08e5b0d3351a9190f4979174db73bc5c48d3a288a6cf5207128437b015727f75b380558d97405ef2b7d5fe566e3971413bc9e0e7451c5a

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Client\AppVDllSurrogate32.exe

Filesize
163KB

MD5
09f69fedb2a0fc7640e58482a1d2e376

SHA1
5fae7357a2fb7234160825bde2e26953ac5cdd15

SHA256
0901808e159e5451c16dadf667f3654ff20c17ff04f37d9ce034e3b66e05cb73

SHA512
036b93213345a507de5632580b4dbd2fad976a3b5c64415d9bc2ed8ee91381a90fac0399ded54566a260746fc4c11d60924328417d1300067cabbc9f3f2139d0

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Client\AppVLP.exe

Filesize
488KB

MD5
a645b6805f82c01f96f4b80077e5987f

SHA1
b2bf8dfa921adec2dd8079ed7c1e798e6c8e7072

SHA256
be74c36a88eac6a09ef1699bf76e7018c0dfe5eac87cc40c899b9675cd9cdcdc

SHA512
a452d38e95c14ea879391e5d9af23a655fd280bd118b76579d67563924c353d560e8f19c43cf2effd3e127b73b2200bbcd6aa0cdefe657f222260ae41bb8ed8c

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Integration\C2RInt.16.msi

Filesize
704KB

MD5
898cefc1a2d62534bd95fef3050fc0f0

SHA1
6a0840b861c5a083f99a32b2e186c979aa51f890

SHA256
c9676830ac2e9ab768230ffa19a958b0f1ba899c8b09ed84cdf6ebfa44ca7011

SHA512
61b27b703258b5e98810ee8d0c17f6b9cb3cc24d244697886fbf9ba675130dd5508841cc7bc0851d29a682036f70eaa93426ddb7d194becb9145f77cd1b87a88

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Integration\Integrator.exe

Filesize
1.8MB

MD5
1f95026f425dbcac1f73850cb4696e69

SHA1
d2dbd276211a1a2556695c8aabc1edb7e6af955c

SHA256
84e5afd0e54c473c1fb297030801a4d3337e5997db43f34fac28d8e19fffc484

SHA512
6813f694b060f8008b26c1fecdfba1f48638b3a9efd9e107ba3503b2c7b8f6735d393bd56daf61202ac1d699094334dbb56ee81a7aa2506ab437119246d44aa3

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Integration\SPPRedist.msi

Filesize
640KB

MD5
9a900f877581a3383d9f7aa829bfcabb

SHA1
419bb2b428965ee4b0514156597579fbd649136e

SHA256
e1095f5ad4fe013b551fb93ff5e9ce1b9c8971364490ddca477e6217160d02b5

SHA512
fe3162dcc9d4359d92ebb755c3b4aade765230a3da9fa62d3c59e3cfadd8bb8d03f5dcb80b92fd9258d94500f0e156670781ffff1cd9f193329fc8fa3754ba1f

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms

Filesize
14KB

MD5
36671a0805eed859d708137e8cb834c0

SHA1
a6f318e80ca1a538f015637a24cbd6830f0f1d31

SHA256
996e82f76247a6353adbf7718f7b54dfc8c0a070660db0a21e5af8f92a0514cc

SHA512
0c0e8961c37ba9c6d9c7254280f35901c11d074455010d90a4e6ef5ceec5d382efa6ec4453a70a46769565088fb18984eb71770c619a7b05ee0867a82f5013fe

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe

Filesize
22KB

MD5
7e1cc462da9fd9c7f2e327388b56f97d

SHA1
96a372bd93af44553ccb440efaef4acf5dfa3367

SHA256
e5eb2c70ce66092f31a6344226c6bf6c89d911831f08a899829d03bfdf922ab7

SHA512
227ce5626a72bb44f6022619fc9fbc3614dbb658382fc8570e43d0c06904b022fc08194da4ac3c58233961afde8795cc9d3eb288fbece28092804d56671ee02e

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.SPClient.Interfaces.DLL

Filesize
25KB

MD5
4b2dd4dab8dc2138f0c2e4fdbe89d826

SHA1
3c36e630f4098f26aa6857f7a715735236fe19b6

SHA256
b9cd87abd422f882e4be20f4c1b6fc262f76667de864da82295326d5cf7373e8

SHA512
976ef7f82cc87600b562084c0101673f1ad8f9c1711c7a00464719341ffe8471b769a3c43333e6a8a6e5f691b7084441270efe644a3839fc0584456d9b5192a5

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Configuration.SString.dll

Filesize
25KB

MD5
115efed9e7d99edf992a54d63edfc5ce

SHA1
e49c2b9737f8c1a3635a82349b838a5dcd793552

SHA256
03d0cbc11392c0ad133d266009d6aac8fc5c7261e9cb7a3d9329f16c7b09f4e6

SHA512
ba2de83c12e1dcea98ff0b237741923661ba8d8e66196cab11d254be3fc98cf22d07ec3bb55b0d1838ee090252fa9afb613024166ee93ffb52ae968f5d2c4678

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\EXCEL.EXE

Filesize
384KB

MD5
b1a2abc41fcc87ee89350333e5d31146

SHA1
142b2fd66c4e9b7a2faa0d6c42da3d0703113d01

SHA256
3b2e92ed48ad7a2cfca143569b748d1cd429f353c4c6037a43acde83924f73da

SHA512
62a2959cd1b6107d56699a765b998adf813ebc440eef3a9d0e84e2bb41f245611c330c3d8931606fa527e66896254109ac0cf9e6f5f3cab0f1f126d62bb8b7b7

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\NAMECONTROLSERVER.EXE

Filesize
136KB

MD5
f16eb70069986ededf5770f2f2cf28b5

SHA1
e07acfe99789b11dede1d9cfe1ce655d8966db72

SHA256
7b806b3133dac00955aec30e29521a1c4d9feeb6e17179e1a7adaa87fb45f11e

SHA512
ff2f61733b4193c1df216eb8876fa71f17b944a7b75d25d87ddcdccffbb557cad09aca766eac3164dae9cb7085030a8d03c628ff3be20aa6022f6e1f2a9e322a

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll

Filesize
486KB

MD5
6b4387db7f98c0c007f7fcd0934d5e5c

SHA1
c588293eac7dc33033417af7a8b9571669dc3a18

SHA256
fb537a1a404a7e953b6bb951eeb935c933b7635a64e4af8a7a389ef07bed4dc6

SHA512
78c35b7aa136c7170c0833cef0a7ccdff8d4a2b8100859d1d135253ee41258abf7eddc454bdc54cf266b63a07914074e6cf807b307e71cd4f70126fbfd61b87d

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\OutlookAutoDiscover\YAHOO.COM.XML

Filesize
806B

MD5
fc9a01384283f760b245bafde02893ca

SHA1
27787bad85297baad51216df565e409dfac1d440

SHA256
7bdb5be38475510a7c05a3444b122a62e8cf4c05b35e656ca4deccce4a55d968

SHA512
a35db9e5336b752fdd25db32ee0584fcd93c9c366ab3119d1e5cdd235c8f77e44170fdf2ce6c182d02df750ed89b85926c2cf4bfd4b4f6d634ec0c20c100c0e0

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\SDXHelper.exe

Filesize
128KB

MD5
1ccc5a27aa962598a13cfce0c7e92e82

SHA1
aeb82b0b4d7ddcc1bf1c1df6da3f18b98b7d8355

SHA256
2ca70f7250a6cb1c58018276c4d99d14e6083efa523f8aa6ee712207803c095b

SHA512
5c8202b576cb7794c55938a999c2f940336ea8dd442d8e082e8baa1d7dc8bc422952c477268b2c971e6381bd2b34ed9acb03ed2d01420cae143f22a764c2c0bb

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\SDXHelperBgt.exe

Filesize
32KB

MD5
2ce9f90d623f587039202e7be2e8c0bd

SHA1
352d3dabbd10fa7256983337a9c1cf90a87c3145

SHA256
ee975f42b86ef9b6077934d0d4e854e28d7fa709cf5c5472caab6542984f2654

SHA512
862c2e2e9f9d544cae59269e041de5896bbee6180765ee729ab2dd8692a7b62cc8e6bd41e24e1f1486cb897233b84d293b0d7d3a5dfd35bb31d2824d07d4ac70

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\WINWORD.EXE

Filesize
14KB

MD5
d2449a44971cb6595479efc2fb9860ac

SHA1
11001de7841ce744ccb9215e558d1379c5718246

SHA256
d1966bcd774575b768927c7cc01f7f7baf68d17dc1aabc441ded3668c535e55e

SHA512
9f115c7a29b8042d83ba56b101ca5ff7be80b65a62577d5f58e2aaedfc8cbc83a3af082c8832ce9518c1e21bf1fd517cfa7297ba9dd4b55b822cd734a33d4e95

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\concrt140.dll

Filesize
301KB

MD5
1d2436ccbc0ce0e483e6346078401b31

SHA1
96623087821c584cd5125ba8124491b2eae22d55

SHA256
bb8bd7abb9e88b2fd0be6b035f7c6ca754550668207c64c6b84903ea47d795ab

SHA512
f71c3d81fcb7c65b22ca24ccc16472aa6457031e97ceaceeec5b0753518d9a2739a7f68199ad40e42d6f369e3e7e6a2ab4e31ae90200b89dc269a295d75c1993

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\cpprestsdk.dll

Filesize
1.9MB

MD5
697111f75c69832bb9cd23df9e2cd5b0

SHA1
f81fbc60d5f2c18d3acdda55af943de04072c7ad

SHA256
6b79cab5735370585c4f9761e9c03e935f0f3cefea6621a80411da3b5d5a1b55

SHA512
7acb3d020ac6498a64f4ed6b3dc071104883f77c648b9596bfe60de882fe98d42b4b747e9fe94d7c30286e98e876db67fa571fb96426348bd49b1ec307992403

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\excelcnv.exe

Filesize
320KB

MD5
95bb60553193bca6e012a01db6d88572

SHA1
25180c8c7763a6cc24a0ace32ddf0069127173bd

SHA256
f54bdcb8c27767dd35b45eaaa4338fb65423bf6882cff7447b82f69de0d3356a

SHA512
68891780ff3b276a9a9d698ee0cddd3a35988ecb8b4973eebc63c6d519caa54afe1792dba880e0a980c3e065d433b8057d6350a9825b33a3e01578f201987bfc

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\misc.exe

Filesize
256KB

MD5
55339217acf17cb8b55450f0a50a641e

SHA1
df42c6b3351f0cc04600fe0c34bef29f26970cde

SHA256
63ab5cb6e82d2548fa206a97b5ae7bc63f49abad8b26b221b793fe02a97cc426

SHA512
a6bff0698cf4ac9023609d754ed1fd02e81d68912a63dbaeaa35a7ffa8bc3026ebd3cf269ae719a3827de276f63b4f084d44bd4778abf5f875f876ded331ba9c

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\sdxs\FA000000083\StoreLogo.png

Filesize
4KB

MD5
3b41150e4cb804aa1b26cca06dc509c8

SHA1
dd983658528a86107b3f8d6370ea1287d2f0e21e

SHA256
ea757e4a70287f2a5ad3c5388ed2342bfad38ca41969ea23c84d8cd499839d9c

SHA512
f08ece3efc1b07306b487ca59ba9091545821558c75d741c0e7d086b5706d9dce7f3185e3fdf965cbc2674d3304a2a9db032c0b4c312028b466978efee72c3cb

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\Office16\vccorlib140.dll

Filesize
323KB

MD5
9bed9744723648ead234b8b2df061180

SHA1
a00973840fc5f8abd80506c1385f4d8a3d8e5624

SHA256
9a4e199267306a94f2187d259c42ce1403ac8a26514b2e4f694bfd6351aab34f

SHA512
1c8c0a469b9c011a0b5bc78b192bc6bcd935896dca9a2f1695dbf13cc8cc3c1956cf618cc1e2186fc34aa55cf2e6a5734cb943c603b455493713f246ba34686a

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\loc\AppXManifestLoc.16.en-us.xml

Filesize
8KB

MD5
ca656f7d455711b0c7dc17465c6142a4

SHA1
8deeed1e45c2475deadb14d71020a05e14c1cdb7

SHA256
18235bd171e5f402e8b83a8cb3c33f389e5b9b922b2d5d8825b4da928bd9d3af

SHA512
643baea96b04716dbc0804cdaba82a317354970f6f1852cdb529ad8387ef076514ee1dc610c9e558a7fa9beedc3b0aacc0f2f4c081a4e6c6d49155b4cdf243f2

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcp140.dll

Filesize
426KB

MD5
f006f706b6be636ca4500f50a47b4cd1

SHA1
cae8f1a530653e3cedb013358f47322953e30c65

SHA256
3bf46af40fe1c937eb1977148ebddda0acabaf7a4a973ceae9dc4f1873dc820b

SHA512
7696cd4c7f08bf7b367ce142e3a090ae4d0f798c16e09b82cc54ffae740acb97260880caf7ba0d5e5ce8088c7ddd0f7d3544f4c13425aa92ae723ce2cb68740d

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vccorlib140.dll

Filesize
261KB

MD5
ca455d40aa18feea47d7b44ac9a22909

SHA1
2e631a2c29d956bc8f3e3c6f2ef4d61aa0dc9b3c

SHA256
76418640c773e3c51bde25c70184bfc1311e127152b5a9fdf5acf4695d3ce254

SHA512
9b698b73c7d6eb3be875b5f7da72ebb7b7b08b4e9d1ebfafa0e085a72e1e93046dee6f229d5a8db404ae1df61ca9209f3e8373d8abe7d4c7b3a1d636a48036fe

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\vcruntime140.dll

Filesize
74KB

MD5
b5718a1ae28ca249c90de258194f7298

SHA1
24bc7d969950f796c368b87bcace42e748c7f5fe

SHA256
28b3c0d01481661de0d7249fca6799eebf749d2f83fc04b30fcd0223cc241668

SHA512
43ee0bea27da62aec8eeb8a17b92fdaf67d6024a5849e953504c449a1d1bbf05dcb4dfeff0871ed45e6aba9edbf5b307664714431f210f1e71ec62de324cf0e6

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-file-l1-2-0.dll

Filesize
18KB

MD5
19df2b0f78dc3d8c470e836bae85e1ff

SHA1
03f2b5b848a51ee52980bf8595c559b89865de07

SHA256
bd9e07bbc62ce82dbc30c23069a17fbfa17f1c26a9c19e50fe754d494e6cd0b1

SHA512
c1c2b97f484e640bfdda17f7ed604d0583c3d4eaf21abf35491ccedc37fa4866480b59a692776687e5fda3eaeafb4c7bdb34dec91f996fd377a328a89c8d5724

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
adb3471f89e47cd93b6854d629906809

SHA1
2cfc0c379fd7f23db64d15bdff2925778ff65188

SHA256
355633a84db0816ab6a340a086fb41c65854c313bd08d427a17389c42a1e5b69

SHA512
f53e11aa35911d226b676d454e873d0e84c189dd1caea8a0fe54d738933cd6b139eca48630f37f5979ef898950d99f3277cba6c7a697103f505d876bea62818c

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
6b4f2ca3efceb2c21e93f92cdc150a9d

SHA1
2532af7a64ef4b5154752f61290dcf9ebeea290f

SHA256
b39a515b9e48fc6589703d45e14dcea2273a02d7fa6f2e1d17985c0228d32564

SHA512
63a42dd1cb95fd38ddde562108c78e39cb5d7c9406bf749339e717c2cd866f26268d49b6bd966b338de1c557a426a01a24c2480f64762fef587bc09d44ada53b

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
18KB

MD5
247061d7c5542286aeddade76897f404

SHA1
7285f85440b6eff8731943b73502f58ae40e95a2

SHA256
ccb974c24ddfa7446278ca55fc8b236d0605d2caaf273db8390d1813fc70cd5b

SHA512
23ef467f6bb336d3e8c38000d30a92dac68e2662891863475ff18dbddbbbce909c12d241b86dbdea085e7d19c82cd20d80a60ffb2845f6afebedf06507afe5bc

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-synch-l1-2-0.dll

Filesize
18KB

MD5
b9bc664a451424342a73a8b12918f88d

SHA1
c65599def1e69aed55ea557847d78bb3717d1d62

SHA256
0c5c4dfea72595fb7ae410f8fa8da983b53a83ce81aea144fa20cab613e641b7

SHA512
fe3f393fd61d35b368e42c3333656298a8243ba91b8242ee356950f8925317bf32ce4f37670b16a5a5ab5091903e61ae9c49c03fdc5f93193f215a58d80b9311

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-timezone-l1-1-0.dll

Filesize
18KB

MD5
bdd63ea2508c27b43e6d52b10da16915

SHA1
2a379a1ac406f70002f200e1af4fed95b62e7cb8

SHA256
7d4252ab1b79c5801b58a08ce16efd3b30d8235733028e5823f3709bd0a98bcf

SHA512
b0393f0d2eb2173766238d2139ae7dea7a456606f7cb1b0e8bc0375a405bc25d28ef1c804802dddb5c3dbd88cfd047bfa5c93cbb475d1d6b5a9a893b51e25128

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-core-xstate-l2-1-0.dll

Filesize
11KB

MD5
42dc903598ff9d2bfb92d3f1f1563a92

SHA1
7a612d66d11916640b9781168c723f5db7212839

SHA256
583be047aa83cce2e8950f5f550dabc5f7cb5957860316e3f409bfafb10b963c

SHA512
f6cc6edb7d84a1d24dcdd38f1fe3e14d83cd62ebab83cc87a34f0026b21e4cc2dc7e85a200d15405dd153b92fde08a05f0c8f16b77af8d0239567273e9a5c46f

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-conio-l1-1-0.dll

Filesize
19KB

MD5
e3d0f4e97f07033c1feaf72362bbb367

SHA1
2a175cea6f80ebe468d71260afb88da98df43bed

SHA256
3067981026fad83882f211bfe32210ce17f89c6a15916c13e62069e00d5a19e3

SHA512
794ae1574883a5320c97f32e4d8a45c211151223ba8b8f790a5a6f2b2bd8366a6fcb1b5e1d9b4a14d28372f15e05c6ad45801d67059e0aba4f5e0a62aa20966c

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-convert-l1-1-0.dll

Filesize
22KB

MD5
afc20d2ef1f6042f34006d01bfe82777

SHA1
a13adfc0d03bb06d4a8fe7fb4516f3e21258c333

SHA256
cd5256b2fb46deaa440950e4a68466b2b0ff61f28888383094182561738d10a9

SHA512
2c9f87d50d60ebe4c56257caf4dcf3db4d36739768274acc1d41d98676c3dd1527a9fdc998bfa00227d599fb9893aa20756bc34623fa9b678da5c10a0d0d2550

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-environment-l1-1-0.dll

Filesize
18KB

MD5
fe93c3825a95b48c27775664dc54cae4

SHA1
bae2925776e15081f445fbdd708e0179869b126d

SHA256
c4ed8f65c5a0dbf325482a69ab9f8cbd8c97d6120b87ce90ac4cba54ac7d377a

SHA512
23a7bc53b35de4893219a3b864c2355fd08f297b3c096000e1621ca0db974aa4b4799fd037f3a25b023e9ee81f304d351f92409aa6d9623bf27b5a8971b58a23

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
20KB

MD5
d76f73be5b6a2b5e2fa47bc39eccdfe5

SHA1
dfed2b210e65d61bf08847477a28a09b7765e900

SHA256
6c86e40c956eb6a77313fa8dd9c46579c5421fa890043f724c004a66796d37a6

SHA512
72a048fd647ba22d25f7680884ec7f9216c6bdbb7011869731b221d844a9a493dd502770d08dabb04f867c47ece29ca89b8762d97d71afe6788d72e3f8a30bb7

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-heap-l1-1-0.dll

Filesize
19KB

MD5
5d409d47f9aebd6015f7c71d526028c3

SHA1
0da61111b1e3dbb957162705aa2dbc4e693efb35

SHA256
7050043b0362c928aa63dd7800e5b123c775425eba21a5c57cbc052ebc1b0ba2

SHA512
62d2e5a6399f3cbd432e233cea8db0199df5c534870c29d7f5b30f935154cb9b756977d865514e57f52ff8b9be37f25cce5118d83c9039e47d9e8f95aa2575ce

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-locale-l1-1-0.dll

Filesize
18KB

MD5
0d50a16c2b3ec10b4d4e80ffeb0c1074

SHA1
b81f1639d62dfc7be7ae4d51dd3fae7f29a1a297

SHA256
fab41a942f623590402e4150a29d0f6f918ee096dba1e8b320ade3ec286c7475

SHA512
bfee8b2fa8bc5d95e699a82d01a6841a9ac210c288b9dd0aba20b7ebbcfb4363adde439404fe98dc03a6db38873902a335bca77e484fb46f04218696395f1877

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-math-l1-1-0.dll

Filesize
27KB

MD5
877c5ff146078466ff4370f3c0f02100

SHA1
85cf4c4a59f3b0442cdc346956b377bae5b9ca76

SHA256
9b05a43fdc185497e8c2cea3c6b9eb0d74327bd70913a298a6e8af64514190e8

SHA512
4bc5116d160c31aa24264f02e5d8ba0bd33e26e9632f9ad9018f5bb1964a5c99b325b19db9895483efb82f173962c8dfe70a857db3dfd11796cba82c0d9acd8d

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
26KB

MD5
ff4de9ce85c4b01312df6e3cdd81b0ff

SHA1
223224c883db39d060181d0b5cf03f2e2ef2e878

SHA256
d7e676b9f1e162957d0549ab0b91e2cd754643490b0654bf9a86aa1e77cb3c37

SHA512
021af3eca676cb3973993f983049cae2a325f399adecbf025284800f33c76f955cb4dbd50d412661402b8c8a6fd5162e53698000ab20f62d7f672f5d08d62c29

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-private-l1-1-0.dll

Filesize
69KB

MD5
b4be272187cb85e719dfb5bf48bb9b1b

SHA1
1c1b672759c2922082da07af77f0769d27e2e9aa

SHA256
ccaf41e616b9a872d35c8083cbf8fdc14371fa3ef159fe699514643c26a4ebf3

SHA512
d73ec9acad4fc73c27749ae136914a9dfcac0e965dec7db0f4784aac8d4b9d0e8cde3d28be8a53f53faab06ca0aa9e1a2962a03bd88fc8b044c46db36a00c446

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-process-l1-1-0.dll

Filesize
19KB

MD5
e18fd20e089cb2c2c58556575828be36

SHA1
1ccdc9443bae71a5455eff93a304eae16f087be7

SHA256
b06b2d8c944bff73bd5a4aad1cad6a4d724633e7bd6c6b9e236e35a99b1d35f2

SHA512
630d4992120ff0646f16d95a5a2cea6c727f87e01124ebd7f1158cef69adcd7d04b5676bd47fac4462c05cf070c520b6dc0016c30705b50894d406992c81f44f

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
22KB

MD5
c25321fe3a7244736383842a7c2c199f

SHA1
427ea01fc015a67ffd057a0e07166b7cd595dcfd

SHA256
bf55134f17b93d8ac4d8159a952bee17cb0c925f5256aa7f747c13e5f2d00661

SHA512
3aa08138a4bba4d5619e894e3ec66cc540db9f5fe94e226c9b4fc8a068ddb13039335aa72731e5dbdb89dfc6550c9f5d8f03441001c8fd43a77795a2197a8c60

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
24KB

MD5
53e23e326c11191a57ddf7ada5aa3c17

SHA1
af60bcca74f5b4b65c2b322ac7a5cedb9609c238

SHA256
293c76a26fbc0c86dcf5906dd9d9ddc77a5609ea8c191e88bdc907c03b80a3a5

SHA512
82c71b003332006beeafb99306dbcc6517a0f31f9659ea6b1607a88d6a2b15420aef6c47dfaf21fd3bd7502135fb37ba7a9321fc2a9b82c7deb85a75d43a6f58

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-string-l1-1-0.dll

Filesize
24KB

MD5
3a96f417129d6e26232dc64e8fee89a0

SHA1
47f9d89ea1694b94f4f8c5558311a915eca45379

SHA256
01e3c0aa24ce9f8d62753702df5d7a827c390af5e2b76d1f1a5b96c777fd1a4e

SHA512
0898c2c8751a6a0f75417c54157228ccf0e9f3facbfecc1268ecbd3d50eca69a3909c39ca788d9e2d5ccbf3b5ebcdc960df49e40a9c945fc8007d2dc4474f718

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-time-l1-1-0.dll

Filesize
20KB

MD5
05af3f787a38ed1974ff3bda3d752e69

SHA1
c88117f16a0ae4ccb4f3d3c8e733d213de654b04

SHA256
f4163cbc464a82fce47442447351265a287561c8d64ecc2f2f97f5e73bcb4347

SHA512
9bc364a4361e6ce3e9fc85317e8a252516006d1bae4bf8d2e0273337bbb7fe4a068a3e29966ff2707e974af323dd9ab7b086582504d3caed2ceb1e14d4a37559

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\api-ms-win-crt-utility-l1-1-0.dll

Filesize
18KB

MD5
f440dc5623419e013d07dd1fcd197156

SHA1
0e717f3ab9ccf1826a61eeccda9551d122730713

SHA256
bba068f29609630e8c6547f1e9219e11077426c4f1e4a93b712bfba11a149358

SHA512
e3fc916011d0caa0f8e194464d719e25eec62f48282c2bf815e4257d68eddb35e2e88cb44983fe2f202ee56af12bb026da90a5261a99272dabf2a13794a69898

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\mfc140u.dll

Filesize
5.4MB

MD5
1830bac8f9ea5897e6af978548fa88ce

SHA1
8c8ac85673816d3d0b8c65f844bfc4ec73e30db4

SHA256
3b7ee19a05a769e669cbe49595c29567cf27a346114b0c259fb844d0b6b8d50a

SHA512
9d799a3f1f00e214aa1a71bc1929a373acf8d024f7f513a054e09ecfb45e180834ae710f5a010aba3e1b50bd0eda2a097e246b708b14fc6ee2f85df6b725a721

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcp120.dll

Filesize
644KB

MD5
8c8d1140787da60a343dd11c1cdf4992

SHA1
a05114d3f8ff9d4b286668b31d47d85bf0fac434

SHA256
6aa1ece9dd340d05aec43248592a78b70d21959de8727f506d21a3a962348583

SHA512
79eeb1c69687cda2b92d9f57c6cd65dd959e6ace7f21d5783b8957c07f023d8250a249018a2d158b20654fcfd40cbe73a8aa1304d9310d0cb65d45d721fc08ba

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\msvcr120.dll

Filesize
940KB

MD5
49fb6e786b2f9df8812e0e317ced55cb

SHA1
d7f4061b77585d9f477e83b3898389e26cc6acaa

SHA256
9461f2e4add5c650102acde0c62377ff86d9b19fc20d0003f326ccd474e8b7b9

SHA512
da158ad731a1fba62d3eea8708dbcde5a4c5e044a4ceab80bfadb32f14d9120cede0f96bb94e0904a214924e6e188235fd19907272bf90e2a5d25f386d34cfd4

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\ucrtbase.dll

Filesize
256KB

MD5
a0928bd610d672c21cb39530cae06604

SHA1
1eaaa71565b722b9be59fd27e907d9ea9ab50af2

SHA256
895983d28a550476aa6e0a12fad355ebb3c44780d2c4ee8d73461f31ba5e97f1

SHA512
7ddbab713e34bb8c72af7f7e5be7a9013a4ed0de6a21475ff4d4075358f673d2029d531af6c5793f145a483cb57586e3943a2f3a5962b554ff6bce713c7827ef

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmdp32.msi

Filesize
2.5MB

MD5
7aac5873b75606da57355da32fc26b9d

SHA1
3f711256c0e7f21a0e27133de11271bf3df743b4

SHA256
c62406b6a1aa78cccd053212ea02f11160a4a9679b70a928f300af7c894ec347

SHA512
759624dd9cd8eec48d046582de82855196273e5cd7ce8d416b734a8025e2d0f129d41edac0a273e970b16b53971261568245e5d64f1bc3ee5645809fb6dbe2ed

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\osmia32.msi

Filesize
3.6MB

MD5
45040d21259cbccf135cf51afbb871b4

SHA1
86ec34fe257614d340b19932b9f21d30af129976

SHA256
e2f94745b3477eaabfc6a2b3b3ce3067799b9ce32e621aea65f8f1da98a23ce0

SHA512
7fc9efc87645bbd1324f63beece3d32a94668191f8562c6494129141be09e7dcbec786fa61ab26fb27716d599e4e8e6accb6c79a356033a7ae63661f38f010cb

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE

Filesize
128KB

MD5
1b8139fa97c154ecabd89ae9b0ead1c6

SHA1
9653accb7a0ab3c18a9e4e2987d2ed0edc97e587

SHA256
5e197e5d53537d2fb58fbfebf1e3790383c77649371d6b93cbc942071fe18ea1

SHA512
e018eb4cfe88cf24cb17ca1c7dc3c5d541b24ee40500350ecab18271ba74cc3148e412641fc91df46abf3b06f97482e57708b374734d0801f3da5d75c659ab78

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Filters\msvcr120.dll

Filesize
448KB

MD5
269e1a77767a7c73c2af8a4349b9c338

SHA1
4327203b1152f77b2de24df40ee12378063ea950

SHA256
064fa5bae2ffc9e9ffbc8bb091b81e4735fdb4db4c07edd265a441a263b0e2f2

SHA512
8728f8f9aba0516e8eb02f2db3aad406174cf6ed221ef081946ac2503402aa62e4e8bd0c4d1550292bc89e89f730a0fa108acf42ed2d88f6ec9274525375125f

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll

Filesize
237KB

MD5
613392f9e20b8214d0966bae9372437e

SHA1
19a3c99ccaa6772c8bb1e63650e7abdfa07536d5

SHA256
139087686d01ebba5cea10b7cbb93d2cf42c56c5096e29e2e4ce7a1d95008845

SHA512
0b4a3bd4ec65dcbf6151f945158748aaf1e837d88d95f5e7d0bd1759037371ee7232a42ab2e85d1c3f8ead4985bf0c38d91a439f1316c2fecc14e429f8fdc2a7

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\ProgramFilesX86\Microsoft Office\Office16\mfc140u.dll

Filesize
2.7MB

MD5
5204a74dbcfeb4c866391cee727849a6

SHA1
34f1efba81562da746a93b3101e49a1b8c6747cf

SHA256
5be1838a52601ff58d9334fc17505dfe8ab09188b4f6da9771fb65bea6ae22f6

SHA512
f14bb8eb7406d43d6238327152fd335d0ead8200d2b4f454b1c501597c378208218aa02eb1f574702d726cc3d91810b3ba1271968890eaf8cfa8590b23e3df4e

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe

Filesize
80KB

MD5
d14e7c5272125341eabd4bd220375187

SHA1
f92dcb0d2f0875d025e3907242b3629b7b5c25be

SHA256
bb8ad489e9059e825200dcee47821c0dde1ac44a73b0bb531868547a84e4fcc3

SHA512
5aeef39358c244fc3ba0e1827c71f2d88cbc5ac6742fecab456c57eaafc9925f071b528ae4cf4f1aa5597c2e1d348cdea90e18a232b68d58896878fbcc140d5b

Download Submit
C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe

Filesize
512KB

MD5
65880a431441e9d0710d7c7bf3b5792e

SHA1
4537b2c8bb775431611980ffe04e3fdbdf631548

SHA256
03cb6a29ecdfb0beeb8f44f5f1e8aacd54b4ece7759b0c25d5a6c67f017b2ccb

SHA512
2571c5d4ab2d41694cd290795a90a7555afa968bcb7de20d7803dc18f05c7b362980a5686ada864f82e633d5b9aee0adf5767f8b46e4130da1a375972ff02cc9

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\en-us.16\MasterDescriptor.en-us.xml

Filesize
35KB

MD5
f2041340625b505fdcb9960a10a079b1

SHA1
20400195439e119d98c4a5397009a9a24748e375

SHA256
2325dccc464666f4d6910d8af555dabcdf50290fff00e5d7f92f02e7dc8835a4

SHA512
20363463b1d10bdaa403c59ce7e2520e6bb28c2837e0b50becc589e36c12d584fc7c03bcc970d88bd7c94c79f9e81962e8dec6435e964a23aca2d718e174eb0c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\en-us.16\stream.x64.en-us.dat.cat

Filesize
126KB

MD5
e196d19512fe22143869584745a3e89c

SHA1
080c2dd0959b146a0d374ae0d5e931fa984554d8

SHA256
8ffe78f8d51ee9dbe2c3568d2980915ce2fd1bdae7976b995188c9dbde589dfc

SHA512
290f4a73290dfc6ac152a1b7c0402a111b9a8a53fc31a5fb0ab77e07334120e8d2ca5d0910fdf3e1398c423fe31a417783995af62d8e91eed48682149d03838e

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\x-none.16\MasterDescriptor.x-none.xml

Filesize
35KB

MD5
1ef469cd7a637bbaa8e3d216ec293c29

SHA1
fd3a4ca6951a2e0960349962086a15f10808672c

SHA256
b0774db0a33f1a7693e6c050671aaea2d48de2cbc28c6299ca723fc24854d693

SHA512
5dbdfe4b49fc7debf8b9443157d797a847f208bc1f8d84a303e96f1fc3d534bea926f3996c8a89d51f26362f538d9928fd439c6061bd211fd4ebe3a45911524c

Download Submit
C:\ProgramData\Microsoft\ClickToRun\ProductReleases\F17B3CF0-A1D9-4FF7-B9CB-BBFD97C677F5\x-none.16\stream.x64.x-none.dat.cat

Filesize
621KB

MD5
05bf879dffca53b47ebb0c4e7109216a

SHA1
fb850349140debc9c6179c17ccd5ca61f1bf6d23

SHA256
7e4e1c0b0c2be2796cef107062451219a7a70e45188fa59d7f9e4735a171bbe5

SHA512
f81e10cb0c01c4ca953b6c2ca6e4a81b542d9a50216b9509e7fbde28f7bba50db7a66bc5b9dd692e3490e0bfddbae9a8acdef75710d1aaa5ea91ee9170dfc292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
c0636f2d138baca01dbb2eedb99bf3d5

SHA1
3b927899db0f3e2cb510782592887dc02fc3e400

SHA256
10973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a

SHA512
0187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
d775bcf7877976c5efe122f75e62de98

SHA1
ea917a67487073bafea51b347afc73e765be01b5

SHA256
321eac4efaef971fe4349cdfdb1271d3b2ade19272543109d8b8bd6810139657

SHA512
63e60364d98442c7ce148660ea5d6469f7f02a5d58047d365c84cacb421148c9873575449734e8ef4db83fa9c9110a2db299b9c887bc156ca9e2cf2415c99de5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
b08b9272a63c7c00b3f2a18946b47b73

SHA1
22eade7b6d705175773c5eefe36a361b8daa673f

SHA256
e7e537536287b0c0afa228a86004745e4585634574dbc8c92507d8534eb9801f

SHA512
1f41cdf3e893d5dcabdde84af7c47d066c063f7ec8b698bbb81d69b702b1861aac0ae3f560e9627fe5fb30d1adc40db6123ea4a9b7bab644f3db6cccca065666

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
c0c4f05856a10074f608a714492246ea

SHA1
9b35af2a0a7643b4a54c5cd60eb241f6a4fdc178

SHA256
8d2b159b1a0f9f3762ab27367f63e46ff51d5167e4d176fed2ac34990abf77b4

SHA512
805b797e0076c9da85a2340a52bbab808520883d62bdb2fc4c84b5db901df8a06d80bdf811f47dd9c5ef4cc490f524a909523ef7ec5366ad26cd4e22442d7adb

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
13c38447563f07e8747fe1e081358a10

SHA1
22451a7b9b11c942de2764fd33fa29f4f65d406f

SHA256
27b75d953fcd05a8bc14424a7cc0ec9d6353c139ef6809f2ba5c7879185598aa

SHA512
5481dc399f41f94c608f94573fa7ef51ea75d0ce1bf11781f833a1d51a79d2aa9875aa4bc242989c8dac3cb46ffd890944e4ea92c892c605a4ff045d9e26d748

Download Submit
C:\Users\Admin\AppData\Local\Temp\Office 2013-2024 C2R Install v7.7.7.5\files\files.dat

Filesize
765KB

MD5
bb5569b15d68c10b7ff2d96b45825120

SHA1
d6d2ed450aae4552f550f59bffe3dd42d8377835

SHA256
4e3b13b56bec0e41778e6506430282bbbd75ccaa600fd4b645ce37dd95b44c8e

SHA512
640a9ae2d40c272638485d37fad4ed83c9c215ce60a0bd3d50db9f033aa79d4c7fc276d018b05f0b1d8446f5e84a7350c857ee8097c05a472c26bfb446038957

Download Submit
C:\Users\Admin\AppData\Local\Temp\Office 2013-2024 C2R Install v7.7.7.5\files\setup.exe

Filesize
7.3MB

MD5
6b6f44e4ef1ee8fb94ea28aed02964fb

SHA1
c9f845c97b5c5863682c2f38f8f1ed26377b4dfb

SHA256
caf295438040eca0632d475eeecf51a16307a23cb87dcfce796d274e8e8ff221

SHA512
3227a32cf7bc64354ce81f7959299da612bc8a180aec0fafdd2d335354f85739984e389630ef5b9663cf98797a28f2ea0eb44cec6c905db50099a908cca11bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_w3d2vxng.tjc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\newui.reg

Filesize
1KB

MD5
7fb2bda7ca25568909eab0b872416ada

SHA1
23295a06a82a9ef408ec0409e6bc5f15c045c895

SHA256
92dc5f009e30e42d18b80fdcce0e029df6d56e387eb38e16c5585a9c5a0b41a7

SHA512
ea07f1a90991410d044bfc0420c2de4d2e445b30c62199277ab26b9a8ba11603e0652caa24bb26a2429cc6c12d76fc627751476b133158617e4439a7e59a883d

Download Submit
C:\Users\Admin\AppData\Local\Temp\over219349\i640.cab

Filesize
6.3MB

MD5
7af0574418981757bd6cb1afd1558f7d

SHA1
0c58ea36db4e6100fea897292426168f7a0d61c3

SHA256
16d9f013e58648e04b125d71f395f321a88c13b7ba4686a5c53f50bb928cafee

SHA512
40993f7a2161b72cdfa86e763e3cd9949779017d28b7736f5bd747463584a3daf8e18fcacc593241c359d10573d46c7397e73543f6cb25dd3cf92e4bef628573

Download Submit
C:\Users\Admin\AppData\Local\Temp\over219349\i641033.cab

Filesize
9KB

MD5
6fb3431a134e26406985d62430192f80

SHA1
99aa0f28c6f46eb079522fad81fdf7b5272922fe

SHA256
759906d0394bd87ca5b7b13d7257137ab7265cfdde470fff45a72b9edfc0fbf3

SHA512
29f741282b9176421380405165cf03dbdb99f971806d873b875bffa31ef6d70d098b4a744880c35affe70c7791cba17e3b7289b17ced8535ddf0a24b265f53b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ver.txt

Filesize
55KB

MD5
ee0af1df49f05968382f8d6419b44936

SHA1
4faa837d71ab87effd8263f745816db0bf4116e2

SHA256
5c708383b266c4a944aca5114efe1298cd586c6e1863d2eee0341e015060d22c

SHA512
10af2bed89d4cdd474841e64745e72a1eaa131a31de7536f84489adba3e0546a32e1c9d95921ccf81a3664ebc2188902d7e0fcb42ce4b3948bd13ddb9d2d3b47

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
230KB

MD5
09a6404fe962495762a5b35f4b6fb872

SHA1
434be5a2d025c9da465cc40d312b5416265507ae

SHA256
a2efc03a3ff3bd2cc87407f910fae2cc164d3d9df643f375f6bdbc9834611695

SHA512
81531e4852ba514cda8192e8dabc8de4d7e8331ac9d58275a2bd3a91d0d6108f0bbbe7e6d3e797142601921b436b05328aaa09aaa489337bfb5295f34b20daa6

Download Submit
C:\Windows\Temp\OFFICE~1\s640.cab

Filesize
1.1MB

MD5
e5ef068f57516c2556c31ae26fe71ec7

SHA1
6e2e60fbe7d6b81e5d5b792228f9228ec250e353

SHA256
64ae488bbf6f7923c10642bcf7ca3bcc7ccdb16e3b9948c41a3a4279c93a199f

SHA512
dcbed3d904896d95f477a2f54e71bf17c21f8ed75b2470add566f4eeec2587cf8fef6ed33186f555b3e4a7de4fe1716204c92fb79b7194128cfef4bab27bb59f

Download Submit
C:\Windows\Temp\OFFICE~1\s641033.cab

Filesize
384KB

MD5
8ed94645c430ef6094c5953dfd0f0125

SHA1
61bcbe8a4180c29ae1cb1ac598f88ecda0c1b0da

SHA256
ebb8d157b4753f60e1d7b3bcfecc05a5c68c762cf660d0c8d5377f88997dad11

SHA512
66de3d931bbcf748f8d84e1dcecb120d2b60d0f91493c691d1a0cd803ad8e0a215fd29f8aec4f6e415c8b2deae0fb11527362089c78bb3deaea5e67b3a22c4ef

Download Submit
memory/2668-46-0x0000000005F50000-0x00000000062A7000-memory.dmp

Filesize
3.3MB

Download
memory/2668-35-0x0000000005570000-0x0000000005592000-memory.dmp

Filesize
136KB

Download
memory/2668-30-0x0000000004F60000-0x0000000004F96000-memory.dmp

Filesize
216KB

Download
memory/2668-31-0x0000000073910000-0x00000000740C1000-memory.dmp

Filesize
7.7MB

Download
memory/2668-32-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/2668-33-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/2668-34-0x0000000005740000-0x0000000005D6A000-memory.dmp

Filesize
6.2MB

Download
memory/2668-36-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/2668-37-0x0000000005EE0000-0x0000000005F46000-memory.dmp

Filesize
408KB

Download
memory/2668-55-0x0000000073910000-0x00000000740C1000-memory.dmp

Filesize
7.7MB

Download
memory/2668-51-0x0000000006920000-0x000000000693A000-memory.dmp

Filesize
104KB

Download
memory/2668-50-0x0000000007A60000-0x00000000080DA000-memory.dmp

Filesize
6.5MB

Download
memory/2668-49-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/2668-48-0x0000000006610000-0x000000000665C000-memory.dmp

Filesize
304KB

Download
memory/2668-47-0x0000000006410000-0x000000000642E000-memory.dmp

Filesize
120KB

Download
memory/6008-499-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/6008-509-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/6008-512-0x00000000733D0000-0x0000000073B81000-memory.dmp

Filesize
7.7MB

Download
memory/6008-497-0x00000000733D0000-0x0000000073B81000-memory.dmp

Filesize
7.7MB

Download
memory/6008-498-0x00000000033B0000-0x00000000033C0000-memory.dmp

Filesize
64KB

Download
memory/6132-125-0x00000000733D0000-0x0000000073B81000-memory.dmp

Filesize
7.7MB

Download
memory/6132-122-0x0000000002D30000-0x0000000002D40000-memory.dmp

Filesize
64KB

Download
memory/6132-121-0x0000000006810000-0x000000000685C000-memory.dmp

Filesize
304KB

Download
memory/6132-108-0x00000000733D0000-0x0000000073B81000-memory.dmp

Filesize
7.7MB

Download
memory/6132-119-0x0000000005D80000-0x00000000060D7000-memory.dmp

Filesize
3.3MB

Download
memory/6132-115-0x0000000002D30000-0x0000000002D40000-memory.dmp

Filesize
64KB

Download
memory/6132-109-0x0000000002D30000-0x0000000002D40000-memory.dmp

Filesize
64KB

Download